13241300x80000000000000001668340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:38.643{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69a-0x00dd3393) 10341000x80000000000000001761573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:38.469{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:38.469{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:38.469{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:38.469{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:38.469{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:38.469{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:38.469{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:38.469{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:38.469{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:38.469{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:38.469{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:38.469{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001761561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:57:38.329{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001761560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:57:38.329{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001761559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:57:38.329{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001761558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:57:38.329{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\FlagsDWORD (0x00000002) 13241300x80000000000000001761557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:57:38.329{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\TtlDWORD (0x000004b0) 13241300x80000000000000001761556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:57:38.329{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentPriUpdateToIpBinary Data 13241300x80000000000000001761555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:57:38.329{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentUpdateToIpBinary Data 13241300x80000000000000001761554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:57:38.329{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\DnsServersBinary Data 13241300x80000000000000001761553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:57:38.329{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\HostAddrsBinary Data 13241300x80000000000000001761552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:57:38.329{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\PrimaryDomainNameattackrange.local 13241300x80000000000000001761551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:57:38.329{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\AdapterDomainName(Empty) 13241300x80000000000000001761550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:57:38.329{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\Hostnamewin-dc-429 13241300x80000000000000001761549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:57:38.329{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 354300x80000000000000001761548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:35.702{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64753- 354300x80000000000000001761547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:35.328{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local63849-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001761546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:35.328{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local63849- 354300x80000000000000001761545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:35.328{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:c880:5de0:89c6:ffff-63849-truea00:10e:0:0:0:0:0:0win-dc-429.attackrange.local53domain 354300x80000000000000001761544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:35.328{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local60718- 354300x80000000000000001761543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:35.327{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local62966- 354300x80000000000000001761542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:35.327{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local62966-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domain 354300x80000000000000001761541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:35.322{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61752-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001761540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:35.322{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61752-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001761539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:35.321{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local60720- 354300x80000000000000001761538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:35.319{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local61751-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001761537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:35.319{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local61751-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001761536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:35.315{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local60336- 354300x80000000000000001761535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:35.315{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local60336-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001761534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:35.314{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58426- 354300x80000000000000001761575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:38.330{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local64939- 354300x80000000000000001761574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:38.329{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local62993- 354300x80000000000000001761579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:39.767{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61755-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001761578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:39.767{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61755-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001761577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:39.765{5EBD8912-BF43-6156-0D00-000000000002}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61754-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001761576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:39.765{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61754-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001668341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:42.264{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49701-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001761580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:43.678{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54254486- 23542300x80000000000000001761591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:48.969{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FADF88B0407734D402F327B2BC045DA4,SHA256=3AB3C8FB336A864329A3E6C2F800A9549F9AA5A45DE696A5EF6C59BCD405B5D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:48.782{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FCBF247447CE2ED39AF01C63E37E0F8,SHA256=7187C0FB44654729A616BEEBC76ACE037911A20EA36279F376B1ECA63787387E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:48.782{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3C1262F547055F7034F707FDDE4D820,SHA256=C5B8C4EFB5CA2C70A40F7F413D6A48FD62C8511646B763AD7540173F44DA98D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:48.766{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D90E5C399999A79EF5392556729AF979,SHA256=B5F5E4E25415455748D52D2E32763A9D0D771EC68BFCF7802FFB803D188074F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:48.704{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D90E5C399999A79EF5392556729AF979,SHA256=B5F5E4E25415455748D52D2E32763A9D0D771EC68BFCF7802FFB803D188074F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:48.688{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=062EF13823973C0C5C22403793698F35,SHA256=D1E94E492A84641EA8267EE1B514E4133D5E364A445CA671F074F433B6896D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:48.688{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DNS ServerMD5=6CCD17B229C8DCF247ACF709D2DC83D5,SHA256=165F774AB96D333FF7B9BA8F5B94E746E4464D1F52161C82765CD4928CA06914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:48.688{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=E2DBD83C446541093A3E60BC793BD276,SHA256=2CCA3916389A70B95875B97CF243A49A9D507F3984E9CF9DDDA2B88F443230BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:48.672{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F7F6DCA55028A3FD867A5C0C5CF0E668,SHA256=35AB648C2956E0AC4DDC230A010509CD510D89B2D4040A8AC745A7D9E6AAA3A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:48.672{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=86B3791D79EE7DDD5BD2B49C9962A473,SHA256=747686791DD8935E7D10402FEFB912785C353A38BB25007331336664F460AB73,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001761581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:46.261{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61757-false10.0.1.12-8089- 23542300x80000000000000001668385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.841{69CF5F33-BF7D-6156-6E00-000000000002}3384NT AUTHORITY\SYSTEMC:\Windows\system32\cmd.exeC:\Windows\Temp\silconfig.logMD5=E1CD87568DD1E2E9604D8B3ABC3D30F8,SHA256=05C685507B3B61B6E2A88930156CBA534ED57102E379543EC0A079D2196D4FEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001668384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.827{69CF5F33-BF7D-6156-6F00-000000000002}33722236C:\Windows\system32\conhost.exe{69CF5F33-BF7D-6156-7100-000000000002}2204C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.827{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.827{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.827{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.827{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.827{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.827{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.827{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.827{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.827{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.827{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-BF7D-6156-7100-000000000002}2204C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.827{69CF5F33-BF7D-6156-7000-000000000002}24602224C:\Windows\system32\cmd.exe{69CF5F33-BF7D-6156-7100-000000000002}2204C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001668372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.822{69CF5F33-BF7D-6156-7100-000000000002}2204C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeC:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{69CF5F33-BF7D-6156-7000-000000000002}2460C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64 10341000x80000000000000001668371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.809{69CF5F33-BF7D-6156-6F00-000000000002}33722236C:\Windows\system32\conhost.exe{69CF5F33-BF7D-6156-7000-000000000002}2460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.809{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.809{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.809{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.809{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.809{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.809{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.809{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.809{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.809{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.809{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-BF7D-6156-7000-000000000002}2460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.809{69CF5F33-BF7D-6156-6E00-000000000002}33843380C:\Windows\system32\cmd.exe{69CF5F33-BF7D-6156-7000-000000000002}2460C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\msvcrt.dll+4ba7c|C:\Windows\system32\cmd.exe+103c4|C:\Windows\system32\cmd.exe+10910|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001668359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.815{69CF5F33-BF7D-6156-7000-000000000002}2460C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{69CF5F33-BF7D-6156-6E00-000000000002}3384C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /d /c C:\Windows\system32\silcollector.cmd configure 10341000x80000000000000001668358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.778{69CF5F33-BF7D-6156-6F00-000000000002}33722236C:\Windows\system32\conhost.exe{69CF5F33-BF7D-6156-6E00-000000000002}3384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.747{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-BF7D-6156-6F00-000000000002}3372C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.731{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.731{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.731{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.731{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.731{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.731{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.731{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.731{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.731{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.731{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-BF7D-6156-6E00-000000000002}3384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.731{69CF5F33-BF40-6156-1600-000000000002}12042452C:\Windows\system32\svchost.exe{69CF5F33-BF7D-6156-6E00-000000000002}3384C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e0a4|c:\windows\system32\UBPM.dll+11662|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.731{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.731{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:49.181{69CF5F33-BF40-6156-1400-000000000002}7561384C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001668342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:46.636{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49702-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001761592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:48.467{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61759-false10.0.1.12-9997- 23542300x80000000000000001668386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:51.259{69CF5F33-BF40-6156-1C00-000000000002}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20211001075651-000MD5=E2350FF87285264FC2F693171FD6908F,SHA256=DD0C2B6A4BAA6FC008B19D4F8AE41D7B35D93255AA75D9D1AFF144D5A1F933A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:52.261{69CF5F33-BF40-6156-1C00-000000000002}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20211001075649-001MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.938{5EBD8912-BF80-6156-7500-000000000002}3360NT AUTHORITY\SYSTEMC:\Windows\system32\cmd.exeC:\Windows\Temp\silconfig.logMD5=6BE69445BC41AC2AD0500F9E4EE696CA,SHA256=269C80F3D8C4CB5D209608CE66EFD6BE481FCF1219FB2969A0429BFFF92FFC73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001761634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.892{5EBD8912-BF80-6156-7600-000000000002}34682188C:\Windows\system32\conhost.exe{5EBD8912-BF80-6156-7800-000000000002}3168C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.892{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.892{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.892{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.892{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.892{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.892{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.892{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.892{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.892{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.892{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-BF80-6156-7800-000000000002}3168C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001761623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.892{5EBD8912-BF80-6156-7700-000000000002}20123244C:\Windows\system32\cmd.exe{5EBD8912-BF80-6156-7800-000000000002}3168C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001761622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.888{5EBD8912-BF80-6156-7800-000000000002}3168C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeC:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{5EBD8912-BF80-6156-7700-000000000002}2012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64 10341000x80000000000000001761621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.876{5EBD8912-BF80-6156-7600-000000000002}34682188C:\Windows\system32\conhost.exe{5EBD8912-BF80-6156-7700-000000000002}2012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.876{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.876{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.876{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.876{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.876{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.876{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.860{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.860{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.860{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.860{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-BF80-6156-7700-000000000002}2012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001761610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.860{5EBD8912-BF80-6156-7500-000000000002}33603992C:\Windows\system32\cmd.exe{5EBD8912-BF80-6156-7700-000000000002}2012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\msvcrt.dll+4ba7c|C:\Windows\system32\cmd.exe+103c4|C:\Windows\system32\cmd.exe+10910|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001761609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.874{5EBD8912-BF80-6156-7700-000000000002}2012C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-BF80-6156-7500-000000000002}3360C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /d /c C:\Windows\system32\silcollector.cmd configure 10341000x80000000000000001761608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.844{5EBD8912-BF43-6156-1400-000000000002}10641456C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.844{5EBD8912-BF80-6156-7600-000000000002}34682188C:\Windows\system32\conhost.exe{5EBD8912-BF80-6156-7500-000000000002}3360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.829{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-BF80-6156-7600-000000000002}3468C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001761605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.829{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.829{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.829{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.829{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.829{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.829{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.829{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.829{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.829{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.829{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-BF80-6156-7500-000000000002}3360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001761595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.829{5EBD8912-BF43-6156-1600-000000000002}12961944C:\Windows\system32\svchost.exe{5EBD8912-BF80-6156-7500-000000000002}3360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e0a4|c:\windows\system32\UBPM.dll+11662|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.829{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.829{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001668451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:53.830{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 13241300x80000000000000001668450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:53.830{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 17141700x80000000000000001668449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-CreatePipe2021-10-01 07:57:53.815{69CF5F33-BF40-6156-1800-000000000002}1652\Winsock2\CatalogChangeListener-674-0C:\Windows\system32\svchost.exe 13241300x80000000000000001668448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:53.815{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x0000077d) 13241300x80000000000000001668447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:53.799{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{3cbf4f06-c535-4558-82a8-26f69cfba65e}\NetworkPerformsHijackingDWORD (0x00000000) 13241300x80000000000000001668446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:53.799{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{3cbf4f06-c535-4558-82a8-26f69cfba65e}\LastProbeTimeDWORD (0x6156bf81) 12241200x80000000000000001668445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{941dad9d-7b1a-4354-997b-00cf1aa9b35c} 12241200x80000000000000001668444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{935b7f48-0ede-44dd-9bc2-e00bb635cda3} 12241200x80000000000000001668443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{c42f1cd6-3a95-4ae2-a513-793c3ae610c7} 12241200x80000000000000001668442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{2db25e6c-f07a-44f4-b6c8-50a330d2790b} 12241200x80000000000000001668441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{2dd96961-5757-434f-b617-34e732517c0e} 12241200x80000000000000001668440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{0ccc96a3-8c5c-45e2-b80e-7e37b16cc1ad} 12241200x80000000000000001668439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{a47525e2-725b-4888-8af1-ba5a60c04f4d} 12241200x80000000000000001668438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{c016105c-eb34-4519-a5fd-5f4e4ad4d18e} 12241200x80000000000000001668437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{074f7f68-ee10-428a-89d1-ba78f6c327ca} 12241200x80000000000000001668436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{0c3be01b-fe70-4cc4-89dc-c07996b67e6d} 12241200x80000000000000001668435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{c970a45d-57f9-4e32-a5bd-886a9662641e} 12241200x80000000000000001668434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{12c38916-82ac-4737-8f38-b6957ffebad6} 12241200x80000000000000001668433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{0c41d586-9c19-4e01-9d66-b5b98a97576e} 12241200x80000000000000001668432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{dc95b53e-01cf-4058-821d-350b3d0d4676} 12241200x80000000000000001668431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{941dad9d-7b1a-4354-997b-00cf1aa9b35c} 12241200x80000000000000001668430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{935b7f48-0ede-44dd-9bc2-e00bb635cda3} 12241200x80000000000000001668429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{3697a558-3ed3-49be-a4c1-c1a4448653b4} 12241200x80000000000000001668428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{b6fdab6b-dcc6-43e3-99ce-7aeca65063a4} 12241200x80000000000000001668427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{c42f1cd6-3a95-4ae2-a513-793c3ae610c7} 12241200x80000000000000001668426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{2db25e6c-f07a-44f4-b6c8-50a330d2790b} 12241200x80000000000000001668425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{375fb39b-08c6-40f2-bdf2-08fa63f970a2} 12241200x80000000000000001668424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{2dd96961-5757-434f-b617-34e732517c0e} 12241200x80000000000000001668423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{cbfb56db-3c85-4543-9bc2-76ea28cdd74e} 12241200x80000000000000001668422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{13bfd422-6f75-4408-8924-9400ec0cb19c} 12241200x80000000000000001668421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{64e55933-15a5-495d-a928-ccca43d44875} 12241200x80000000000000001668420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{91ffecf0-0a9e-4572-95f1-a7111af86967} 12241200x80000000000000001668419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{0ccc96a3-8c5c-45e2-b80e-7e37b16cc1ad} 12241200x80000000000000001668418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{a47525e2-725b-4888-8af1-ba5a60c04f4d} 12241200x80000000000000001668417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{c016105c-eb34-4519-a5fd-5f4e4ad4d18e} 12241200x80000000000000001668416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{074f7f68-ee10-428a-89d1-ba78f6c327ca} 12241200x80000000000000001668415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{0aa7fff8-919f-453c-928c-28a12122ba38} 12241200x80000000000000001668414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{b6b2ca61-fb98-4422-adc2-e7cf56b3680c} 12241200x80000000000000001668413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{5b0cb2e2-ab87-4974-9f1c-2f22a654eeb9} 12241200x80000000000000001668412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{07a24961-a760-4e80-b263-6d275e1b09cb} 12241200x80000000000000001668411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{1165065e-4996-4338-abaf-4b8556b4d431} 12241200x80000000000000001668410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{716b48eb-0a35-4a76-92ab-1d987230d288} 12241200x80000000000000001668409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{be7cbdf4-b192-4aa5-94f8-1fb5c5ee07bc} 12241200x80000000000000001668408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{4d9581d2-aef8-4993-84cd-b986ced80d42} 12241200x80000000000000001668407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{0c3be01b-fe70-4cc4-89dc-c07996b67e6d} 12241200x80000000000000001668406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{c970a45d-57f9-4e32-a5bd-886a9662641e} 12241200x80000000000000001668405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{12c38916-82ac-4737-8f38-b6957ffebad6} 12241200x80000000000000001668404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{0c41d586-9c19-4e01-9d66-b5b98a97576e} 12241200x80000000000000001668403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{f444c576-6e60-4ea2-9faa-80d57ed12cd2} 12241200x80000000000000001668402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{dc95b53e-01cf-4058-821d-350b3d0d4676} 10341000x80000000000000001668401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:53.783{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001668400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:53.783{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{3CBF4F06-C535-4558-82A8-26F69CFBA65E}\DateLastConnectedBinary Data 10341000x80000000000000001668399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:53.783{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:53.783{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001668397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:53.705{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x80000000000000001668396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:53.517{69CF5F33-BF3F-6156-0B00-000000000002}644NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.ftlMD5=3B6EA360654F70E0684F0FF337684098,SHA256=2680BC968E5418E2F3DE2DB910AF27C15725D69948A6AF785B6C4BF2CE11680C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001668395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:53.407{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x0000077c) 13241300x80000000000000001668394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:53.391{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000001668393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:53.391{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000001668392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:53.156{69CF5F33-BF40-6156-1100-000000000002}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{b4aceb91-3521-4f28-a5f8-434384469e9a}\Dhcpv6StateDWORD (0x00000001) 13241300x80000000000000001668391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:53.156{69CF5F33-BF40-6156-1100-000000000002}1004C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{b4aceb91-3521-4f28-a5f8-434384469e9a}\Dhcpv6StateDWORD (0x00000000) 13241300x80000000000000001668390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:53.124{69CF5F33-BF3D-6156-0100-000000000002}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000001668389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:53.124{69CF5F33-BF3D-6156-0100-000000000002}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000002) 13241300x80000000000000001668388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:53.124{69CF5F33-BF3D-6156-0100-000000000002}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\1SWD\IP_TUNNEL_VBUS\Teredo_Tunnel_Device 13241300x80000000000000001668459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:54.897{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000001668458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:54.881{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000001668457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:54.881{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000001668456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:54.881{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000001668455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:54.803{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x0000043e) 22542200x80000000000000001668454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:53.314{69CF5F33-BF40-6156-1000-000000000002}996wpad9003-C:\Windows\System32\svchost.exe 22542200x80000000000000001668453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:53.313{69CF5F33-BF3F-6156-0B00-000000000002}644_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001668452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:53.039{69CF5F33-BF40-6156-1600-000000000002}1204win10.ipv6.microsoft.com.0type: 5 onpremwindows.ipv6.microsoft.com.akadns.net;type: 5 trdovmssukwest.ipv6.microsoft.com.akadns.net;40.81.120.44;C:\Windows\System32\svchost.exe 354300x80000000000000001761654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:53.307{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54250209- 354300x80000000000000001761653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:53.307{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54265199- 354300x80000000000000001761652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:53.224{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249710-false10.0.1.14win-dc-429.attackrange.local88kerberos 354300x80000000000000001761651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:53.210{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249709-false10.0.1.14win-dc-429.attackrange.local88kerberos 354300x80000000000000001761650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:53.196{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249708-false10.0.1.14win-dc-429.attackrange.local88kerberos 354300x80000000000000001761649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:53.093{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local389-false10.0.1.15WIN-HOST-54258230- 354300x80000000000000001761648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:53.090{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249707-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001761647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:53.044{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249706-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001761646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:53.042{5EBD8912-BF43-6156-0D00-000000000002}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15WIN-HOST-54249705-false10.0.1.14win-dc-429.attackrange.local135epmap 354300x80000000000000001761645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.982{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local389-false10.0.1.15WIN-HOST-54258228- 354300x80000000000000001761644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.930{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local389-false10.0.1.15WIN-HOST-54258227- 354300x80000000000000001761643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.926{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54258226- 354300x80000000000000001761642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.925{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54252827- 354300x80000000000000001761641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.925{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54251128- 354300x80000000000000001761640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:52.649{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54252264- 23542300x80000000000000001761639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:54.250{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD3C8A6FA12B75773BE99441A035433,SHA256=67AC21E89F85C4EDB89C64303E8BA14413B75AA7EF5EF1D8F3A7FD3D4E3AD701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:54.250{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7789BA94A6FD91EE7D82EA8061661F09,SHA256=DAF9F9A37F245B801B97A7641C9DC83D1F10270B05E1EDECA3F6ADD6C953B69E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:54.235{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7789BA94A6FD91EE7D82EA8061661F09,SHA256=DAF9F9A37F245B801B97A7641C9DC83D1F10270B05E1EDECA3F6ADD6C953B69E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:54.235{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FCBF247447CE2ED39AF01C63E37E0F8,SHA256=7187C0FB44654729A616BEEBC76ACE037911A20EA36279F376B1ECA63787387E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001668471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:55.901{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x0000043f) 22542200x80000000000000001668470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:53.718{69CF5F33-BF40-6156-1400-000000000002}756zlvaiswx9003-C:\Windows\System32\svchost.exe 22542200x80000000000000001668469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:53.695{69CF5F33-BF40-6156-1600-000000000002}1204isatap.eu-central-1.compute.internal9003-C:\Windows\System32\svchost.exe 22542200x80000000000000001668468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:53.476{69CF5F33-BF40-6156-1400-000000000002}756win-dc-429.attackrange.local0::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000001668467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:53.443{69CF5F33-BF40-6156-1000-000000000002}996win-dc-429.attackrange.local0::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 354300x80000000000000001668466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:53.598{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49710-false10.0.1.14-88kerberos 354300x80000000000000001668465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:53.584{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49709-false10.0.1.14-88kerberos 354300x80000000000000001668464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:53.570{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49708-false10.0.1.14-88kerberos 354300x80000000000000001668463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:53.464{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-542.attackrange.local49707-false10.0.1.14-389ldap 354300x80000000000000001668462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:53.418{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49706-false10.0.1.14-49672- 354300x80000000000000001668461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:53.415{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49705-false10.0.1.14-135epmap 354300x80000000000000001668460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:53.085{69CF5F33-BF40-6156-1100-000000000002}1004C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:4d7:820:f5ff:fef0-546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x80000000000000001761655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:55.438{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09891165D40E68B8B45FC1AF2FA813AC,SHA256=0A82532EED7C7066414768BCE7A87086E221BD9C87B6BEF596FCD47594A67532,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001668489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:56.800{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000001668488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:56.800{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000001668487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:56.528{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69a-0x0b86398d) 13241300x80000000000000001668486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:56.418{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001668485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:56.418{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001668484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:56.418{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001668483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:56.418{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\FlagsDWORD (0x00000002) 13241300x80000000000000001668482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:56.418{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\TtlDWORD (0x000004b0) 13241300x80000000000000001668481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:56.418{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentPriUpdateToIpBinary Data 13241300x80000000000000001668480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:56.418{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentUpdateToIpBinary Data 13241300x80000000000000001668479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:56.418{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\DnsServersBinary Data 13241300x80000000000000001668478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:56.418{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\HostAddrsBinary Data 13241300x80000000000000001668477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:56.418{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\PrimaryDomainNameattackrange.local 13241300x80000000000000001668476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:56.418{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\AdapterDomainName(Empty) 13241300x80000000000000001668475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:56.418{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\Hostnamewin-host-542 13241300x80000000000000001668474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:56.418{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 22542200x80000000000000001668473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:54.146{69CF5F33-BF40-6156-1400-000000000002}756win-host-5421460-C:\Windows\System32\svchost.exe 354300x80000000000000001668472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:53.741{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-542.attackrange.local63455-false40.81.120.44-3544teredo 23542300x80000000000000001761659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:56.547{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7420103299BE8CDAB1DDD187CC6CFD2B,SHA256=C7A6622B60CC5F0D52A96B561F667DED372E176EF0A492285A96D2CE83B2D4A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001761658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:54.447{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54259525- 354300x80000000000000001761657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:53.310{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54251717- 354300x80000000000000001761656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:53.308{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54256469- 13241300x80000000000000001668490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:57.785{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000440) 23542300x80000000000000001761660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:57.797{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A2605210A471CAC9CB96F8C522A78C,SHA256=75F708D80F8EFB2014FDF793670E1C53803F47096668FA732F25C875733891F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:58.453{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89BF9734AA3E67BE5AB9872C8AE047E,SHA256=605E1B36D41CCD9A75B4328DF808B8944CC0F278A3EADE61200A66D2FB1E37C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:58.317{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0194A9AFE5741BA9BB9BFBEB1A4EFD64,SHA256=12C60DA39B592A53EC1F6C69119A3FCCF71A109AA541F112F680C00DB8C31EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:58.317{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE99ADF8E542E27426CB83FB0782C7BB,SHA256=29A0E4FB8BC5EF4BF8DEF0E159A7EFB6ABAD180D7FB6DF2C5A41D8340832D048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:58.301{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8D8E53ED5F19F457A43637B21F1E1112,SHA256=281DF8F3C43214B8C857D4AB68F50B15350E047A6177E6AD410167D4FB4F4E26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:58.256{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8D8E53ED5F19F457A43637B21F1E1112,SHA256=281DF8F3C43214B8C857D4AB68F50B15350E047A6177E6AD410167D4FB4F4E26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:58.256{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C8F54CA78F49F7567B9856CF2FF62CA1,SHA256=C43DCD450D5A33C6106413DDC1EEAF588A41B677AFB321C18AC531680B457982,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001668492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:56.399{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local123ntpfalse10.0.1.14-123ntp 354300x80000000000000001668491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:55.788{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-542.attackrange.local63455-false40.81.120.45-65444- 23542300x80000000000000001761665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:58.860{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717636CBF4036CFC4203F7412889B2C4,SHA256=2901CAEF14C15E4835EC64056AE32B2942725FD8F65BA44C295E9988760F33E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001761664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:55.935{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54252732- 354300x80000000000000001761663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:55.933{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54265163- 354300x80000000000000001761662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:55.915{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local389-false10.0.1.15WIN-HOST-54253641- 354300x80000000000000001761661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:55.524{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54253640- 13241300x80000000000000001668527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:59.807{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 13241300x80000000000000001668526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:59.807{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 10341000x80000000000000001668525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:59.731{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:59.731{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:59.731{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:59.731{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:59.731{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:59.731{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:59.731{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:59.731{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:59.731{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:59.731{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:59.731{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:59.731{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000001668513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:56.321{69CF5F33-BF40-6156-1400-000000000002}756win-host-542.attackrange.local9501type: 6 ;10.0.1.14;C:\Windows\System32\svchost.exe 13241300x80000000000000001668512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:59.350{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001668511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:59.350{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001668510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:59.350{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001668509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:59.350{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\FlagsDWORD (0x00000002) 13241300x80000000000000001668508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:59.350{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\TtlDWORD (0x000004b0) 13241300x80000000000000001668507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:59.350{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentPriUpdateToIpBinary Data 13241300x80000000000000001668506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:59.350{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentUpdateToIpBinary Data 13241300x80000000000000001668505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:59.350{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\DnsServersBinary Data 13241300x80000000000000001668504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:59.350{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\HostAddrsBinary Data 13241300x80000000000000001668503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:59.350{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\PrimaryDomainNameattackrange.local 13241300x80000000000000001668502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:59.350{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\AdapterDomainName(Empty) 13241300x80000000000000001668501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:59.350{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\Hostnamewin-host-542 13241300x80000000000000001668500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:57:59.350{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 23542300x80000000000000001668499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:59.304{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4E70F997C0339C45B279D6C8670008B6,SHA256=94A29E295E7739EB9CBEC29340516872F9D9378F4DCC246266C845AE70040942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:59.907{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E9A34661B16B91405D364F61BA85D3,SHA256=BCD018B82FFC69493A44A3008584110DFB814F35E709DF5939F5C05D6F1FAF22,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001761669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:57.665{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54259338- 354300x80000000000000001761668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:56.026{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54259233- 354300x80000000000000001761667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:56.026{5EBD8912-BF43-6156-1100-000000000002}444C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse10.0.1.15WIN-HOST-542123ntp 354300x80000000000000001761666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:56.025{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54257837- 10341000x80000000000000001668553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.401{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-BF88-6156-7200-000000000002}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.401{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.401{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.401{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.401{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.401{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.401{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.401{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.401{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.401{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.401{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-BF88-6156-7200-000000000002}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.401{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-BF88-6156-7200-000000000002}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001668541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.401{69CF5F33-BF88-6156-7200-000000000002}3832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001668540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:57:57.961{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49712-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal9997- 10341000x80000000000000001668539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.218{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.218{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.218{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.218{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.218{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.218{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.218{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.218{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.218{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.218{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.218{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:00.218{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001761672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:00.954{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F77D1376C2EAC746DEF87CE2D035893,SHA256=795ED5D106073E2A0F9880AA5075F354A839ECE658FDE7DA95FB6022B60784DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001761671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:58.948{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54250380- 10341000x80000000000000001668567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:01.423{69CF5F33-BF89-6156-7300-000000000002}38163976C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:01.133{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-BF89-6156-7300-000000000002}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:01.133{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:01.133{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:01.133{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:01.133{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:01.133{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:01.133{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:01.133{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:01.133{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:01.133{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:01.133{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-BF89-6156-7300-000000000002}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:01.133{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-BF89-6156-7300-000000000002}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001668554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:01.134{69CF5F33-BF89-6156-7300-000000000002}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001761676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:01.954{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6091F875A6D4EF1F7E8B8275D28DE1,SHA256=81D693C357EFB059FBC2A7B565F27FAC31FA4BA18CE8B022DB592BDDEB96F076,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001761675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:59.338{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54262193- 354300x80000000000000001761674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:59.337{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54261157- 354300x80000000000000001761673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:57:58.949{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54264311- 13241300x80000000000000001668593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:58:02.293{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001668592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:58:02.293{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001668591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:58:02.293{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001668590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:58:02.293{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\FlagsDWORD (0x00000002) 13241300x80000000000000001668589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:58:02.293{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\TtlDWORD (0x000004b0) 13241300x80000000000000001668588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:58:02.293{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentPriUpdateToIpBinary Data 13241300x80000000000000001668587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:58:02.293{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentUpdateToIpBinary Data 13241300x80000000000000001668586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:58:02.293{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\DnsServersBinary Data 13241300x80000000000000001668585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:58:02.293{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\HostAddrsBinary Data 13241300x80000000000000001668584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:58:02.293{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\PrimaryDomainNameattackrange.local 13241300x80000000000000001668583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:58:02.293{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\AdapterDomainName(Empty) 13241300x80000000000000001668582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:58:02.293{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\Hostnamewin-host-542 13241300x80000000000000001668581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:58:02.293{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 10341000x80000000000000001668580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:02.018{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-BF8A-6156-7400-000000000002}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:02.018{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:02.018{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:02.018{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:02.018{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:02.018{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:02.018{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:02.018{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:02.018{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:02.018{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:02.018{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-BF8A-6156-7400-000000000002}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:02.018{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-BF8A-6156-7400-000000000002}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001668568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:02.019{69CF5F33-BF8A-6156-7400-000000000002}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001668610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:03.854{69CF5F33-BF8B-6156-7500-000000000002}23843124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001668609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:03.701{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA3836D8DE4DF29EDD196991D0442B1,SHA256=AC82EEC45658546F2F8C0E78ABD6F656FAB8D4A41B1E79AFFCC49261A50CEB5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001668608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:03.686{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-BF8B-6156-7500-000000000002}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:03.686{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:03.686{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:03.686{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:03.686{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:03.686{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:03.686{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:03.686{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:03.686{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:03.686{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:03.686{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-BF8B-6156-7500-000000000002}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:03.686{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-BF8B-6156-7500-000000000002}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001668596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:03.688{69CF5F33-BF8B-6156-7500-000000000002}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001668595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:03.211{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=222272D312EE24C48608FB616C72AC2E,SHA256=E407FE08EC5E9498BB9AA791B7BE73439A0A91BF843516250197E2F4D20B9566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:03.211{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0194A9AFE5741BA9BB9BFBEB1A4EFD64,SHA256=12C60DA39B592A53EC1F6C69119A3FCCF71A109AA541F112F680C00DB8C31EB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001761679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:01.969{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54255522- 354300x80000000000000001761678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:01.964{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54263425- 23542300x80000000000000001761677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:03.047{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E04E3530A701857A4AB85472FA46F06,SHA256=E4B7DE5165EF05D2CED1EB68AB4BFA0739A103D868F2848F7D936BDA8FEF0402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:04.897{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=222272D312EE24C48608FB616C72AC2E,SHA256=E407FE08EC5E9498BB9AA791B7BE73439A0A91BF843516250197E2F4D20B9566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:04.820{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1502E129715FD657AE7FCAF1E47830B2,SHA256=5CAB6FE0625316A5A15D320502B783841DCB5390A9209B435E11C43A29D58B7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001668624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:04.743{69CF5F33-BF8C-6156-7600-000000000002}40124024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:04.590{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-BF8C-6156-7600-000000000002}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:04.590{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:04.590{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:04.590{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:04.590{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:04.590{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:04.590{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:04.590{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:04.590{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:04.590{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:04.590{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-BF8C-6156-7600-000000000002}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:04.590{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-BF8C-6156-7600-000000000002}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001668611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:04.591{69CF5F33-BF8C-6156-7600-000000000002}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001761680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:04.063{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045FD6F48EDA46B9FDBD3B95CD4C6536,SHA256=BA440BE1F3B1109EF5309395FD02790659760345583EB3C268F87D164B275FEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:05.894{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D7982844476FBDEBADD8E3749FE8628,SHA256=01286A21FC79FFCA870B96F7A3C8469E0D0A9810A2AE830AFBF1A20F2DB609B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001668640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:05.388{69CF5F33-BF8D-6156-7700-000000000002}40084040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:05.250{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-BF8D-6156-7700-000000000002}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:05.250{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:05.250{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:05.250{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:05.250{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:05.250{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:05.250{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:05.250{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:05.250{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:05.250{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:05.250{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-BF8D-6156-7700-000000000002}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:05.250{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-BF8D-6156-7700-000000000002}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001668627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:05.250{69CF5F33-BF8D-6156-7700-000000000002}4008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001761681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:05.125{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41DC75BD703F7B98829E6DE0F91ADA76,SHA256=7882D66E08963D33319B9672E1CDB993E1BBA503C1CA51AA989368196E8F5AE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001668655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:06.785{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-BF8E-6156-7800-000000000002}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:06.785{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:06.785{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:06.785{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:06.785{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:06.785{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:06.785{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:06.785{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:06.785{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:06.785{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:06.785{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-BF8E-6156-7800-000000000002}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:06.785{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-BF8E-6156-7800-000000000002}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001668643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:06.786{69CF5F33-BF8E-6156-7800-000000000002}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001668642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:06.248{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A1DCCD8E4895C62756037B207790AA7,SHA256=F1EA882E86170061D81EB7601FCC3CBD9B88C1A45B38083A261A2EE48DFBCB7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:06.157{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809DFD0955283CC4D212ADD7D488BFB5,SHA256=0458DE33F548B08C748E8A231F08D3ACCBD04DD89A1F4CF05CB6313058B851D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:07.770{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58D6577083A047311DE9E77E02941D86,SHA256=EE0858083509F2E0A6EEE4ECC348174D04EDBD1DA896943B2D05FECB3D9C9D6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:07.093{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A0D3602D7E6E20F3BBBDA7BB5E5E2B,SHA256=79264842E39C6F074CB8C6003D9EBB085A1153845134E1812E4F3E2F88887CFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:07.203{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF6AA8D4C2088FBABCE5BABB999A5A2,SHA256=5C07348EA47763448074E058EC29FEC0F9FEE438979F94C4593D5062A5B358AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:08.078{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE2B4E05A859B7AB13EA562C5928103,SHA256=0C6377E6DF081F4D94A0F08DA25FE767598F0730C3B8E0F2ADA2F678234FC6A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:08.938{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=465BCDEBCB9FEBD5BF609C30E375199C,SHA256=BA58D7C300B9023C901B0A9707CEDB09030068C28F482FF546E25FD2B25E3853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:08.938{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=ADD0B81F8AE44ED9C2C5D192F66076A1,SHA256=968D41D31BA87D1F7DA281946A471A6CD41F4062D393109E2E01B81EC4BE761B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:08.328{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD3112BB5689011C453B59E24DDAEEB6,SHA256=12526CFCA9B4079D7102134FFB9E417B69E10248F7360F07EF4A275B945C69E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:09.079{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E04EFEA38D3F3E01608C0A96F000CCFA,SHA256=0A3B5F78E3EA4DB1BFBDCA17C1113AF960B0CC2686D245B66FC8D7E93F31864F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:09.344{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5443CC7428EE33382062DEF7FD10B510,SHA256=BB118646A2A131EBCD1DB32AF4AF5E3AC676C8421C245D3F3D4898A5481A7300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:10.080{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D1742DD6286E0B588640D9CA08A4D3,SHA256=2940B22CDCE423D759EEE11150AA0725F3BE4166A3D6DA1A9F3C508C1B422774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:10.378{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E60D406647CAEDD25A3BC4A9B06D007,SHA256=A538D6C0B2C130BC35A07733A60810812023CF5E9845B286022988514092A873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:10.240{5EBD8912-BF53-6156-2600-000000000002}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20211001075710-000MD5=E961008872A85D9E7B2EDCDB9076BE5A,SHA256=4C7B4263F3F8553ACCFCCC53A0FA56737D447810FFCB4A43A3BA8D688A9FDFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:11.068{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8F433BEDC0BFAD6EEC2AEA7F6AFD9F,SHA256=CB53F479EDB959DD6E14B692113B9B3D76A137F4E087C482132A968CD4D1D494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:11.392{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF2F450D412291349FEE84E7F7EB49F,SHA256=BCAE9843CA47C6F711D05BF8428E3FBC145D2386EF95ACF16AEC134FF927274B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:11.238{5EBD8912-BF53-6156-2600-000000000002}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20211001075708-001MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001668663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:58:12.272{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69a-0x14e8a247) 23542300x80000000000000001668662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:12.071{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D870C80C5DDFB25C0649B6B03F02436,SHA256=8CF486877BA1E3FB6593C220B4B67A7E7F5F5823827471F4B7E79527581D6906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:12.426{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F9178EFAFB345D942A8020EDC883613,SHA256=78B037500EF368ECD3CD1238B8F6D4477C41DFDA8CA73EA8F724B94A00E41F26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:13.424{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=72B83DEE80009769441203E666B68516,SHA256=C81D837A76050133186233045BD76F33830BBD725726269E7D98F72FE34C4003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:13.424{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1FE6F6A8B4B618DFAF6ECF543510CC9A,SHA256=8AF328D62DA7741943B551CB572923776D75BE485D8221D3920097387B83FDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:13.104{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65AC0582BEF71B4291B42955FD6D824,SHA256=8C41B705FDFD7A5773940CEE0B7291D3094053400E272E8454E165A7F2309D3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001761696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:11.830{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse174.69.171.83wsip-174-69-171-83.ph.ph.cox.net55638-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001761695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:13.504{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9F5EF245AE7125E221A1E790890AE16,SHA256=924218208D584C21AC8084A16E917D0D180D12C54371E97162AAC8CF399F197D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:13.504{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=150FFEB5CACA2C63E0E996E7217969E4,SHA256=45278649C3854C3B01FFF1E3D3CA20CFA80923B53BD2157262D07FFD8D77F041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:13.504{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5DF990961E2949CFC4C3F0A3D0C800,SHA256=88B7779B9ECDCE69BF7C4B74B73DC2181F0EDFCF991C67097B7D961C7358C1AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:14.144{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60BED843FDEC6AACD45E5140172069C,SHA256=FC83F9796A38FBB5E31485360E3045BAF583BD881452A78B6930BADC5364970E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:14.692{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9563694AC2CE85469B5B0AB57E236D25,SHA256=0F852824155676D7E641656ABA09447DC73DC88020E35CAA675EF7107EC804AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:15.723{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F5E640DC7138EF0B2DE985045284EE2,SHA256=91D032FD67A867D37749886E6D25A3F7A7DDE499A54888C1C6810CEAE7001B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:15.181{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890B7D2E8CE1D8D188C4FE7D9A7BA95A,SHA256=FE700484DE825E9526BD878A17A32FC046943DD52873D98B677BA3E02AD932E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001761698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:13.518{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local63918- 23542300x80000000000000001761700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:16.754{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B208A12CA50B47DF7D2CF809E91D1ABF,SHA256=069A9CAD40CA22CB1ABF1A2F7D831FE8E58C79127765D4B48DAA1360AD5A74A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:16.218{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6F1921A12AA5201B30CD87C717C150,SHA256=0923EE157CA34F83FC4097BB378C7FC3E46F1980D47F954CC7D1DF93E093B626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:17.786{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A882267E14AA3FCDF33C98BA31F34156,SHA256=8F6B61437426206F3C7A9E55ACF8FF42898DEAB6643A464DB536F11EFE395625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:17.253{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59620E3CCC34F3A3D163853EBA575CDC,SHA256=9F5C9BD22117B258D1A9C217071021808A50DE9C09C4965DB5C5D2A811DF420C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:18.786{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E27108B8DBC1E5237A1F66830BC9DA,SHA256=C10BF04AA1AE816975AA27DB10AAAD959AD7189ECCFE9CCA8B65FA858072B460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:18.286{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9347B8AE20C6F48F8A77DA8820E5B6E1,SHA256=AE9A880C63CEB27C79A72151B7955CE596682723E4DAF3A68F7208BF511E6E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:19.801{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3ABDB73111FD3C2DF91375F2C804A15,SHA256=5E8B0E1B275DBFA772D9A16782371CDADA9826EA89272F7E90C7B31C2F417420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:19.319{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D84DE4CDAA5CE88A088B21C3CFC8B22,SHA256=C96A7FA22C5F08FDCB1313731424BA70B53E3AAA0F45F2A1C3B79964EC79E49A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001761719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:20.895{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-BF9C-6156-7900-000000000002}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:20.895{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:20.895{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:20.895{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:20.895{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:20.895{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:20.895{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:20.895{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:20.895{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:20.895{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:20.895{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-BF9C-6156-7900-000000000002}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001761708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:20.895{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-BF9C-6156-7900-000000000002}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001761707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:20.896{5EBD8912-BF9C-6156-7900-000000000002}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001761706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:20.848{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53FD1F7B63338163FB64789D408627EC,SHA256=8F2DF235D77CB392B1F1875E91A2282A2A7B72FC08DEE59C4AAC9D61CFE16BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:20.351{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB684B325D604D2231282383F84DBB71,SHA256=FF06F6C15E91BC21B0B4F15B1ECB4A46B35EE394501CB412E5011CF0C12EF756,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001761705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:19.651{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61765-false10.0.1.12-8000- 354300x80000000000000001761704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:19.080{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61764-false10.0.1.12-8000- 10341000x80000000000000001761734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:21.957{5EBD8912-BF9D-6156-7A00-000000000002}19801984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001668674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:21.381{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=602370A2B0F7F54DE363395ECA307A07,SHA256=B205D2584DF53FA989DE9C12053831D18DA94DB05758211330B0D1F3E7DFC735,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001761733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:21.801{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-BF9D-6156-7A00-000000000002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:21.801{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:21.801{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:21.801{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:21.801{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:21.801{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:21.801{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:21.801{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:21.801{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:21.801{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:21.801{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-BF9D-6156-7A00-000000000002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001761722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:21.801{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-BF9D-6156-7A00-000000000002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001761721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:21.802{5EBD8912-BF9D-6156-7A00-000000000002}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000001761720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:21.020{5EBD8912-BF53-6156-2300-000000000002}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000001761751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:22.692{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-BF9E-6156-7B00-000000000002}2196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:22.692{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:22.692{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:22.692{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:22.692{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:22.692{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:22.692{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:22.692{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:22.692{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:22.692{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:22.692{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-BF9E-6156-7B00-000000000002}2196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001761740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:22.692{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-BF9E-6156-7B00-000000000002}2196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001761739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:22.692{5EBD8912-BF9E-6156-7B00-000000000002}2196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001761738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:22.098{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31EDA476BB06A6C3A5B2AA44128DB3A2,SHA256=E5B7C0243268A29E6904802608F23C76E140BF57D1A882A8EDF1E86BF4506F51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:22.098{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDB4FD6E98C831D155CF97A416910B99,SHA256=C41C629825FF20D115CB3542445E1892EE35598C6F1B1AF99FCAAD28A09F601A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:22.098{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9F5EF245AE7125E221A1E790890AE16,SHA256=924218208D584C21AC8084A16E917D0D180D12C54371E97162AAC8CF399F197D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001761735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:20.173{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61766-false10.0.1.12-8000- 23542300x80000000000000001668675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:22.411{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62D15A45DB5B2AC3A8F6EA4A67DAAB3,SHA256=10F509AF5CE0215E545877AA77CD3F144169A23FF53D4C79EB19436CA998C5E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001668678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:21.674{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49718-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001668677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:21.163{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49717-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001668676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:23.439{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F495393F98ED058DE86C7AFC571873,SHA256=31BE327A81FF065BB9570F0DBAC6EF22F71C8059256F3665ECDC73E855F7D9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:23.786{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31EDA476BB06A6C3A5B2AA44128DB3A2,SHA256=E5B7C0243268A29E6904802608F23C76E140BF57D1A882A8EDF1E86BF4506F51,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001761758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:21.036{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61769-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local3268msft-gc 354300x80000000000000001761757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:21.036{5EBD8912-BF53-6156-2300-000000000002}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61769-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local3268msft-gc 354300x80000000000000001761756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:21.029{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61768-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001761755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:21.029{5EBD8912-BF53-6156-2300-000000000002}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61768-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001761754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:20.988{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61767-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001761753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:20.988{5EBD8912-BF53-6156-2300-000000000002}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61767-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001761752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:23.004{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5AAE0E794F416051BBFE829B5240D3,SHA256=25146075C1788134D69A58A9EB35346C0804065F8C6ECBB5CF1896C40FCB2976,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001668680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:22.164{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49719-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001668679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:24.467{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA0C10C82582FE15C7CE7F2F5FC02598,SHA256=87851FF58C9D0C9709C60739B58110168F57CD9A332E503F8E02BA2CAEA0317D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001761774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:24.598{5EBD8912-BFA0-6156-7C00-000000000002}40843800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:24.457{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-BFA0-6156-7C00-000000000002}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:24.457{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:24.457{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:24.457{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:24.457{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:24.457{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:24.457{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:24.457{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:24.457{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:24.457{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:24.457{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-BFA0-6156-7C00-000000000002}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001761762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:24.457{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-BFA0-6156-7C00-000000000002}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001761761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:24.458{5EBD8912-BFA0-6156-7C00-000000000002}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001761760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:24.082{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=090D4CBE82EB0DB7081E7187CD6864C9,SHA256=38CF5264FC548E3A499C9DA9CEB00BB58EBF60A82FB1BF833F5D44DE586D8D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:25.494{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745D1500EECDF787EDB79D4DC7C72460,SHA256=78F9EA5D16F8948F47EAF8E3B2834153EC2BB0600A1B071F97658C93BA4AE368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:25.582{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A683CB074DA4000A9F1CCFD7605205DA,SHA256=736F6E36BF1D3ED3058A9F757B6B8DCD1C87C4FF3BB25708F6583C8B5C0690C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001761790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:25.504{5EBD8912-BFA1-6156-7D00-000000000002}40764008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:25.364{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-BFA1-6156-7D00-000000000002}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:25.364{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:25.364{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:25.364{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:25.364{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:25.364{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:25.364{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:25.364{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:25.364{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:25.364{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:25.364{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-BFA1-6156-7D00-000000000002}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001761778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:25.364{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-BFA1-6156-7D00-000000000002}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001761777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:25.364{5EBD8912-BFA1-6156-7D00-000000000002}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001761776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:23.221{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61770-false10.0.1.12-8000- 23542300x80000000000000001761775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:25.098{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778430E3BE2F045E283A007ADB782EEA,SHA256=6E73295E0D9B192A211A1AABE60FF1F0EFC6DEFBD23A733401E44AD2EA466B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:26.521{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2569C4D49F32ED39152957D615FF05,SHA256=49BF9BDEC8364EF2516A56F8274FD80DBE4388CB7397A4766D5357233EB5C400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:26.348{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9399FE28C78936072C88169A856B48FD,SHA256=CE01A99A2D5CA28E1B2C0724E85D9891C789EBF76B5BD90F436116D4631803DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001761805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:26.207{5EBD8912-BFA2-6156-7E00-000000000002}28562944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:26.036{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-BFA2-6156-7E00-000000000002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:26.036{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:26.036{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:26.036{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:26.036{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:26.036{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:26.036{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:26.036{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:26.036{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:26.036{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:26.036{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-BFA2-6156-7E00-000000000002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001761793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:26.036{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-BFA2-6156-7E00-000000000002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001761792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:26.036{5EBD8912-BFA2-6156-7E00-000000000002}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001668683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:27.609{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DEFD9C0C94795F8BAB63B6287B3E1A,SHA256=8F718DAE8DB273A04A3C0A63A5B161D21DD1BE94CE17140EE7BD861C07A06D7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001761821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:27.770{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-BFA3-6156-7F00-000000000002}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:27.770{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:27.770{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:27.770{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:27.770{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:27.770{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:27.770{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:27.770{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:27.770{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:27.770{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:27.770{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-BFA3-6156-7F00-000000000002}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001761810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:27.770{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-BFA3-6156-7F00-000000000002}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001761809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:27.771{5EBD8912-BFA3-6156-7F00-000000000002}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001761808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:27.317{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3016643B5887B36D5E0B7CEA016BD5,SHA256=52D8F87B741200915711C75B7B29FDA3470A76A57FC7E1C59D708C14D28B2B62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:27.067{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5E4B49D3134B5BB8285F9073AE4D2D1,SHA256=E21D8B326226640A694709987CAEE90677F8E732F0BCABF3ACD5BC1C96F2807F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:28.761{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A9F25FE910D7B27739BACF5DF05113,SHA256=FA907D86355B285212D666B7C8A4EBF1A2BA239AA4371B9FEA4CECADFA3F9A34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:28.989{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18ED555F85DAE338FE91034802F1CF82,SHA256=9EAF2AD16F2E6D8B831240F84FA325BE43C3E69CBB6BCDFB6909FFB9F19D882C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:28.364{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710C1CAAB86E4D8229CEB1D07A4E63E8,SHA256=904089FEE20AD4BFA4144FE36CDE5D79A53E1DF41FC35137DE3A75FC74C24ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:29.864{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C14CCA81C1F285A2CB6DAD9BAD9084,SHA256=6F3B98213D836EE385F935E9588B6683DE33B756C7342A31F8D7EFF5B3DB2D8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:29.410{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2CA9D0C3419EC3F500834E10E9F3B74,SHA256=D4A60625DFEC69494C07D0FDC23C9D95FF7A10B74D69AE2B6611E48822C6FFDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001668686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:27.022{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49721-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001668685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:26.192{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49720-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001761826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:29.112{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61771-false10.0.1.12-8000- 23542300x80000000000000001761825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:30.457{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=191D4CC05C4C47931F93155AF56B6483,SHA256=2B652FE68828CAA88E9425F3B5C8B19CA4E408B6652F6ED77E5BD44EE66DF306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:31.457{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AADE049979376AE3A965BEC8F27CA2,SHA256=072D05CA4E63B2F6DCC63B2A02396EA387B26EE5AE4155B5FA62F0B2410DBA6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:30.998{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8A076C45165B9C1AED4D0CCD866A72E,SHA256=43D24F5BBB0630C1D0B1EBF01D03CD5023446ADB2B63919EE2C7A290C2A36D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:32.879{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=78FD7E11D7F1B4C59A16104D75566835,SHA256=93ED221ADFBC63CE374A6DF5804F24372F50FDD724CFCCF50D6ED626F6E79C62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:32.864{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=465BCDEBCB9FEBD5BF609C30E375199C,SHA256=BA58D7C300B9023C901B0A9707CEDB09030068C28F482FF546E25FD2B25E3853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:32.473{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8B24A7FD104BB5C2CA61FC51225990,SHA256=BEB422AFF7D80F7A59AB19DE2A2A5F4137007F799055F8D3874310CD02642337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:32.037{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80EEE610E7357509196115583E1E0A48,SHA256=137C5EE45661F1E9EB16DF085A233607B75ACA309C83B0BA592E22F9A518F87E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001761951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.848{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.801{5EBD8912-BFA9-6156-8300-000000000002}39923348C:\Windows\system32\LogonUI.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.801{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.801{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001761947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:31.487{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.104.91.170ppp-93-104-91-170.dynamic.mnet-online.de49927-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001761946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.598{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8400-000000000002}3856C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.582{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8400-000000000002}3856C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.582{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8400-000000000002}3856C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001761943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.535{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8D6E8D2A2C0C8A0ABF62CBBBBF613212,SHA256=B0E4B420B7704A7BC414ADA792CE487F18BB7C0AC61AF71D0E5D1117D927945E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001761942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.520{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=062EF13823973C0C5C22403793698F35,SHA256=D1E94E492A84641EA8267EE1B514E4133D5E364A445CA671F074F433B6896D66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001761941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.504{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.504{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.504{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.504{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001761937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.504{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D788AF05506EDE9A66838B4826C718D1,SHA256=1D00FB0A3A48EE2CA54C21CD40D96F788986BD71F0600765A511F0DDC1591C3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001761936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.504{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8400-000000000002}3856C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.504{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8400-000000000002}3856C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001761934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.489{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571B6FCFBD1FF31CD4398C09451A18D6,SHA256=F51C8EB386EDAA93CDB3F625BB01AA1A49A14FA60207555E02BDBAEFC2D7FFD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:33.075{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3996C7A40B788A408C2C53C092D4A9,SHA256=467951E6CE63A8A414C811C8CEC17C8B4DB437D19D0F609E574BA15047843A42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001761933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.457{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.457{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.457{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.457{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.442{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.442{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.442{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.442{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.442{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.442{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.442{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.442{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.442{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.442{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-BFA9-6156-8400-000000000002}3856C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001761919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.442{5EBD8912-BFA9-6156-8200-000000000002}12563152C:\Windows\system32\winlogon.exe{5EBD8912-BFA9-6156-8400-000000000002}3856C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001761918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.452{5EBD8912-BFA9-6156-8400-000000000002}3856C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-2{5EBD8912-BFA9-6156-517B-070000000000}0x77b512SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000001761917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.442{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1b140|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.442{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.442{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+195f6|C:\Windows\system32\lsasrv.dll+1ab9f|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.426{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.426{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.410{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.410{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.395{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.395{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.395{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.395{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.395{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.395{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.395{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.395{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.395{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.395{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.395{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001761899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.395{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.395{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.395{5EBD8912-BFA9-6156-8200-000000000002}12561328C:\Windows\system32\winlogon.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.395{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001761895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.403{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3a54055 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e72SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000001761894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.395{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.395{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.395{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.395{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.395{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.379{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.379{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001761887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-10-01 07:58:33.364{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguagesBinary Data 10341000x80000000000000001761886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.270{5EBD8912-BFA9-6156-8100-000000000002}37161260C:\Windows\system32\csrss.exe{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x80000000000000001761885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.114{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE927966E4F7054263411A8C887A7A4A,SHA256=A3E70B24BD4EEB68EEAF3524AE94FF115DA4728717A484E2D26D3A703F0BAF16,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001761884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:33.082{5EBD8912-BF3D-6156-0100-000000000002}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000001761883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:33.082{5EBD8912-BF3D-6156-0100-000000000002}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000001761882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:33.082{5EBD8912-BF3D-6156-0100-000000000002}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x80000000000000001761881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:33.082{5EBD8912-BF3D-6156-0100-000000000002}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000001761880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:33.082{5EBD8912-BF3D-6156-0100-000000000002}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x80000000000000001761879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:33.082{5EBD8912-BF3D-6156-0100-000000000002}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x80000000000000001761878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:33.067{5EBD8912-BF3D-6156-0100-000000000002}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000001761877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:33.067{5EBD8912-BF3D-6156-0100-000000000002}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000001761876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:33.067{5EBD8912-BF3D-6156-0100-000000000002}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x80000000000000001761875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:33.067{5EBD8912-BF3D-6156-0100-000000000002}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001761874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:33.067{5EBD8912-BF3D-6156-0100-000000000002}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x80000000000000001761873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:33.067{5EBD8912-BF3D-6156-0100-000000000002}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 10341000x80000000000000001761872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.067{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.067{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.067{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.051{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.051{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.051{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.051{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.051{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.051{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.051{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.051{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.051{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.051{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8100-000000000002}3716C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001761859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.051{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001761858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.051{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001761857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.051{5EBD8912-BFA9-6156-8000-000000000002}37123708C:\Windows\System32\smss.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001761856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.054{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e72SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{5EBD8912-BFA9-6156-8000-000000000002}3712C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e8 0000007c 10341000x80000000000000001761855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.051{5EBD8912-BF3D-6156-0200-000000000002}320952C:\Windows\System32\smss.exe{5EBD8912-BFA9-6156-8100-000000000002}3716C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001761854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.036{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8100-000000000002}3716C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.036{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.036{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.036{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.020{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.020{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.020{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.020{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.020{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.020{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.020{5EBD8912-BFA9-6156-8000-000000000002}37123708C:\Windows\System32\smss.exe{5EBD8912-BFA9-6156-8100-000000000002}3716C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001761843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.034{5EBD8912-BFA9-6156-8100-000000000002}3716C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e72SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{5EBD8912-BFA9-6156-8000-000000000002}3712C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000e8 0000007c 10341000x80000000000000001761842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.020{5EBD8912-BF3D-6156-0200-000000000002}320952C:\Windows\System32\smss.exe{5EBD8912-BFA9-6156-8000-000000000002}3712C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001761841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.020{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.020{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.020{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.020{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.020{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.020{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.020{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.020{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.020{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.020{5EBD8912-BF3D-6156-0200-000000000002}320952C:\Windows\System32\smss.exe{5EBD8912-BFA9-6156-8000-000000000002}3712C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001761831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.025{5EBD8912-BFA9-6156-8000-000000000002}3712C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000e8 0000007c C:\Windows\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e72SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{5EBD8912-BF3D-6156-0200-000000000002}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 354300x80000000000000001668692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:31.991{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49722-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001668691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:34.144{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB05A0E37ED5FABD45661A5B7C3E6087,SHA256=F6723B0A649294777B1308D97B8055625B1A95382D15ADD2A75378F32FF30F22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.973{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.973{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.973{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.973{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.973{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.973{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001762178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-10-01 07:58:34.973{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Control Panel\Desktop\MuiCached\MachinePreferredUILanguagesBinary Data 10341000x80000000000000001762177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.957{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.957{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-BFAA-6156-8700-000000000002}3708C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.957{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8400-000000000002}3856C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.957{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8400-000000000002}3856C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.957{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.957{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.957{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.957{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-BFAA-6156-8700-000000000002}3708C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.957{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.942{5EBD8912-BF43-6156-0F00-000000000002}3523380C:\Windows\System32\svchost.exe{5EBD8912-BFAA-6156-8700-000000000002}3708C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+1982c|c:\windows\system32\termsrv.dll+2320b|c:\windows\system32\termsrv.dll+22643|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 154100x80000000000000001762167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.948{5EBD8912-BFAA-6156-8700-000000000002}3708C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 23542300x80000000000000001762166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.942{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D370E9E8824B9D23C68DFE796BED91,SHA256=E8E5644C85A725DDB48C3AE67D487B7994D3B943CCE456801EC10E99E4F6989C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.942{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 13241300x80000000000000001762164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-10-01 07:58:34.926{5EBD8912-BFAA-6156-8600-000000000002}588C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Remote\2\Control Panel\Desktop\UserPreferencesMaskBinary Data 13241300x80000000000000001762163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-10-01 07:58:34.926{5EBD8912-BFAA-6156-8600-000000000002}588C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Remote\2\Control Panel\Desktop\SmoothScrollNo 13241300x80000000000000001762162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-10-01 07:58:34.926{5EBD8912-BFAA-6156-8600-000000000002}588C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Remote\2\Control Panel\Desktop\WindowMetrics\MinAnimate0 23542300x80000000000000001762161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.926{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127C47367BC5786AC22E62952C9A8EA6,SHA256=2F7715E498E0BDF36509C3D904F79403BD321A19F8818ABAF62D55A3F0A27C62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAA-6156-8600-000000000002}588C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-1600-000000000002}12961476C:\Windows\system32\svchost.exe{5EBD8912-BFAA-6156-8600-000000000002}588C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-BFAA-6156-8600-000000000002}588C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BFA9-6156-8100-000000000002}37161076C:\Windows\system32\csrss.exe{5EBD8912-BFAA-6156-8600-000000000002}588C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-BFAA-6156-8600-000000000002}588C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAA-6156-8600-000000000002}588C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001762140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.911{5EBD8912-BFAA-6156-8600-000000000002}588C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{5EBD8912-BF43-6156-0C00-000000000002}844C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001762139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.910{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001762115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F71622400BF67EA24E7D4A985E6DE73,SHA256=16F629A7DB59F2F56FBF907E806A6FC1499247C71A789BC3D888F70825B6EF6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2200-000000000002}2668C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.895{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844980C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001762075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001762074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+37c3|c:\windows\system32\SYSNTFY.dll+1dcb|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.879{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.864{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.864{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.864{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.801{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8400-000000000002}3856C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.801{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8400-000000000002}3856C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001762067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.786{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=581BBFB812BFCF9E9E82EF5C67FB08FE,SHA256=B9AE3C1E0196923E6BF5E02075D5AD89036A14C062D42DBC5DB60D5A806FB5B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.786{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16641FC78A06D6F176AFA17102A16214,SHA256=56CE51F0BB5C57A35D5F88D86DEB8C648E9B3833838BAAD6B4A90C43B8093CE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.754{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.754{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.754{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.739{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.739{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.739{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.739{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.739{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.739{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.739{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.692{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFAA-6156-8500-000000000002}2748C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.676{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-BFAA-6156-8500-000000000002}2748C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.676{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFAA-6156-8500-000000000002}2748C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.660{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.582{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001762050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.582{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001762049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.582{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.582{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.582{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.582{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.567{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001762044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.567{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001762043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.567{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001762042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.567{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.567{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.567{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.567{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.551{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.551{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.551{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.535{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.520{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.520{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.520{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.520{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.520{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.520{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+195f6|C:\Windows\system32\lsasrv.dll+1ab9f|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.504{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.504{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.504{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.504{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.504{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.504{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.504{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.504{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.504{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.364{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.364{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.364{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.332{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.332{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.332{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.332{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.332{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.332{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.332{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.332{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.332{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.332{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.332{5EBD8912-BF43-6156-0F00-000000000002}3521172C:\Windows\System32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.332{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.332{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.317{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.317{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.301{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.301{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.301{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.301{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.301{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.301{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.301{5EBD8912-BF43-6156-0F00-000000000002}3521172C:\Windows\System32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.301{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.301{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001761992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.160{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3531A7BF949D2C4C2C4C1B5C72821872,SHA256=3A68850EFA04A14CDB8FB56C5145D58DCA20EF775E27D6DBA688061DEB1F4EA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001761991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.160{5EBD8912-BF43-6156-1100-000000000002}4441564C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.160{5EBD8912-BF43-6156-1100-000000000002}4441564C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.160{5EBD8912-BF43-6156-1100-000000000002}4441564C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.160{5EBD8912-BF43-6156-1100-000000000002}4441564C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.114{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1700-000000000002}1392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.114{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001761985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.114{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000001761984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-10-01 07:58:34.114{5EBD8912-BF43-6156-0F00-000000000002}352\TSVCPIPE-3e404367-1aef-4e9f-be81-91650a0568d8C:\Windows\System32\svchost.exe 10341000x80000000000000001761983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.114{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.114{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.114{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001761980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-10-01 07:58:34.098{5EBD8912-BF43-6156-0F00-000000000002}352\TSVCPIPE-3e404367-1aef-4e9f-be81-91650a0568d8C:\Windows\System32\svchost.exe 18141800x80000000000000001761979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0F00-000000000002}352\TSVCPIPE-3e404367-1aef-4e9f-be81-91650a0568d8C:\Windows\System32\svchost.exe 10341000x80000000000000001761978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001761977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000001761976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0F00-000000000002}352\TSVCPIPE-3e404367-1aef-4e9f-be81-91650a0568d8C:\Windows\System32\svchost.exe 17141700x80000000000000001761975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0F00-000000000002}352\TSVCPIPE-3e404367-1aef-4e9f-be81-91650a0568d8C:\Windows\System32\svchost.exe 10341000x80000000000000001761974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2200-000000000002}2668C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0F00-000000000002}3521044C:\Windows\System32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6a73d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8300-000000000002}3992C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001761955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF41-6156-0B00-000000000002}636688C:\Windows\system32\lsass.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001761954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=585FDD47AF6F14C5CEB0D99941A9A255,SHA256=BD305048006BF4530282ED9C5D1EECAC881B9E1A57303EE28EC67F100F5071B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001761953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001761952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.067{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D272CF56B8D899E3E162ACD350385930,SHA256=FF4E13027519F3E44098F6FF50930C80D5D0514FB3FC929AC56858C1773A295B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:35.370{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8571A1D16E56575B659F6F9011D9EAE1,SHA256=915530E95AA01F97BF89B6D806EFCCAC103D84EAE4C93BE76BF8D85A8E8E38E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.942{5EBD8912-BFAB-6156-9100-000000000002}45484596C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9000-000000000002}4516C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115046|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.926{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.910{5EBD8912-BF43-6156-1600-000000000002}12961944C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.910{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.895{5EBD8912-BFA9-6156-8100-000000000002}37161076C:\Windows\system32\csrss.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.895{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.895{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.895{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.895{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.895{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.895{5EBD8912-BF43-6156-1600-000000000002}12961944C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.895{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001762361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT10532021-10-01 07:58:35.895{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTask2021-09-27 07:58:56.096 23542300x80000000000000001762360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.879{5EBD8912-BF43-6156-1600-000000000002}1296NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTaskMD5=7A2163BAF11F784E3E14894450E1185D,SHA256=299A7F1EA1B6D7319064263EF354F04C7B1EE1BA5CDE1D75F606F1708CE58615,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.879{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-BFAB-6156-8F00-000000000002}4500C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.879{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-BFAB-6156-8F00-000000000002}4500C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.864{5EBD8912-BF41-6156-0A00-000000000002}6282712C:\Windows\system32\services.exe{5EBD8912-BFAB-6156-9100-000000000002}4548C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.864{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9100-000000000002}4548C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.864{5EBD8912-BF43-6156-1600-000000000002}12961512C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-8F00-000000000002}4500C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.864{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-8F00-000000000002}4500C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.864{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-BFAB-6156-9100-000000000002}4548C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.864{5EBD8912-BF41-6156-0A00-000000000002}628860C:\Windows\system32\services.exe{5EBD8912-BFAB-6156-9100-000000000002}4548C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.864{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.864{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.864{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.864{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001762347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.761{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local61774-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001762346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.761{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61774-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001762345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.756{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61773-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001762344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.756{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61773-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001762343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.751{5EBD8912-BF43-6156-0D00-000000000002}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61772-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001762342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.751{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61772-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001762341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:33.690{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61062- 10341000x80000000000000001762340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.660{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.660{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.660{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.660{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.660{5EBD8912-BFA9-6156-8100-000000000002}37161076C:\Windows\system32\csrss.exe{5EBD8912-BFAB-6156-9000-000000000002}4516C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.660{5EBD8912-BFAB-6156-8E00-000000000002}44724476C:\Windows\system32\userinit.exe{5EBD8912-BFAB-6156-9000-000000000002}4516C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\userinit.exe+1cd8|C:\Windows\system32\userinit.exe+26f6|C:\Windows\system32\userinit.exe+30fd|C:\Windows\system32\userinit.exe+3755|C:\Windows\system32\userinit.exe+4553|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001762334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.665{5EBD8912-BFAB-6156-9000-000000000002}4516C:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEC:\Windows\System32\calc.exeC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EA,IMPHASH=3843C3D4A5A7D1045ABE9A4BFCFAAB28{5EBD8912-BFAB-6156-8E00-000000000002}4472C:\Windows\System32\userinit.exeC:\Windows\system32\userinit.exe 10341000x80000000000000001762333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.660{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.660{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.660{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.660{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.645{5EBD8912-BFA9-6156-8100-000000000002}37161076C:\Windows\system32\csrss.exe{5EBD8912-BFAB-6156-8F00-000000000002}4500C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.645{5EBD8912-BFAB-6156-8E00-000000000002}44724476C:\Windows\system32\userinit.exe{5EBD8912-BFAB-6156-8F00-000000000002}4500C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\userinit.exe+1cd8|C:\Windows\system32\userinit.exe+23e5|C:\Windows\system32\userinit.exe+346e|C:\Windows\system32\userinit.exe+3725|C:\Windows\system32\userinit.exe+4553|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001762327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.604{5EBD8912-BFAB-6156-8F00-000000000002}4500C:\Windows\explorer.exe10.0.14393.4169 (rs1_release.210107-1130)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEC:\Windows\Explorer.EXEC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=F7FDECA990692D53D7E4E396B0BD711E,SHA256=1F955612E7DB9BB037751A89DAE78DFAF03D7C1BCC62DF2EF019F6CFE6D1BBA7,IMPHASH=8D2880102609AA4B23679BD4FEBEBC95{5EBD8912-BFAB-6156-8E00-000000000002}4472C:\Windows\System32\userinit.exeC:\Windows\system32\userinit.exe 23542300x80000000000000001762326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.598{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95EC97DAEA32844947D8F0D1320534E4,SHA256=98B046F3B715CD7B6C26CAE63B39DC47A067DA9E5AEB8F151D6ADB63FA185047,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.582{5EBD8912-BF43-6156-1600-000000000002}12961512C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-8E00-000000000002}4472C:\Windows\system32\userinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.582{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-8E00-000000000002}4472C:\Windows\system32\userinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.567{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.567{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.567{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.567{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.567{5EBD8912-BFA9-6156-8100-000000000002}37161076C:\Windows\system32\csrss.exe{5EBD8912-BFAB-6156-8E00-000000000002}4472C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.567{5EBD8912-BFA9-6156-8200-000000000002}12561112C:\Windows\system32\winlogon.exe{5EBD8912-BFAB-6156-8E00-000000000002}4472C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+ea76|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001762317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.577{5EBD8912-BFAB-6156-8E00-000000000002}4472C:\Windows\System32\userinit.exe10.0.14393.0 (rs1_release.160715-1616)Userinit Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationUSERINIT.EXEC:\Windows\system32\userinit.exeC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=C1B1FFC800BE2F31EB2CF8CB40629C69,SHA256=CFC6A18FC8FE7447ECD491345A32F0F10208F114B70A0E9D1CD72F6070D5B36F,IMPHASH=BFA137B16F3492AFCA0551687B067C04{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000001762316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.567{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001762315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.520{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=585FDD47AF6F14C5CEB0D99941A9A255,SHA256=BD305048006BF4530282ED9C5D1EECAC881B9E1A57303EE28EC67F100F5071B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.504{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2441C259CA6A808FEAEEBB078BCDFA03,SHA256=0906C741FD94D2502331D33CD342281875CE6A9A96E585C2D7C756F7FFB4F1DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.504{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=78FD7E11D7F1B4C59A16104D75566835,SHA256=93ED221ADFBC63CE374A6DF5804F24372F50FDD724CFCCF50D6ED626F6E79C62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.442{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0310C5DCF5667CFA68FF87E556AFCBD1,SHA256=F6C29F40DA4762C4EBDB565646CF7F71F814BDA55807E952D57A192C1A8E24B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.426{5EBD8912-BF43-6156-1300-000000000002}5041100C:\Windows\System32\svchost.exe{5EBD8912-BF43-6156-1100-000000000002}444C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+4609|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.426{5EBD8912-BF43-6156-1300-000000000002}5041100C:\Windows\System32\svchost.exe{5EBD8912-BF43-6156-1100-000000000002}444C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.395{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.395{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.395{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.395{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BFAB-6156-8A00-000000000002}916C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.395{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BFAB-6156-8A00-000000000002}916C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.395{5EBD8912-BFAA-6156-8800-000000000002}10163420C:\Windows\System32\RuntimeBroker.exe{5EBD8912-BFAB-6156-8A00-000000000002}916C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001762303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.395{5EBD8912-BFAA-6156-8800-000000000002}10163420C:\Windows\System32\RuntimeBroker.exe{5EBD8912-BFAB-6156-8A00-000000000002}916C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001762302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.332{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.332{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.332{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.332{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001762298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.301{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD781AD733078CEA6AC59022C49B133D,SHA256=897224F85E11DE9BFF288E690545C54ADFD1F963ADA9A98FC85E788D53602D4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.285{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.285{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.285{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+3a1a|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.285{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.285{5EBD8912-BF43-6156-1600-000000000002}12961944C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8200-000000000002}1256C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\sessenv.dll+3de88|c:\windows\system32\sessenv.dll+f881|c:\windows\system32\sessenv.dll+677c|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.223{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2200-000000000002}2668C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.223{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2200-000000000002}2668C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+58a7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.223{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2200-000000000002}2668C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.223{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2200-000000000002}2668C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.223{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2200-000000000002}2668C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.223{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2200-000000000002}2668C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.223{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2200-000000000002}2668C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+58a7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.223{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2200-000000000002}2668C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.223{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2200-000000000002}2668C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.223{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2200-000000000002}2668C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.223{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-BFAB-6156-8C00-000000000002}4144C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.223{5EBD8912-BF53-6156-2200-000000000002}26682740C:\Windows\System32\spoolsv.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\spoolsv.exe+1b7a3|C:\Windows\System32\spoolsv.exe+1b609|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a27b|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.223{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.223{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.223{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.223{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.223{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-BFAB-6156-8C00-000000000002}4144C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.223{5EBD8912-BF43-6156-1600-000000000002}12961652C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-8C00-000000000002}4144C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+108c6|c:\windows\system32\UBPM.dll+d439|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.207{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.207{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.207{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.207{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.207{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.207{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.207{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.207{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.207{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1700-000000000002}1392C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.207{5EBD8912-BF41-6156-0A00-000000000002}628724C:\Windows\system32\services.exe{5EBD8912-BFAB-6156-8A00-000000000002}916C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.207{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-8A00-000000000002}916C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.192{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-BFAB-6156-8A00-000000000002}916C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.160{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-BFAB-6156-8A00-000000000002}916C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.160{5EBD8912-BF41-6156-0A00-000000000002}6282712C:\Windows\system32\services.exe{5EBD8912-BFAB-6156-8A00-000000000002}916C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1dc37|C:\Windows\system32\services.exe+17f38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001762260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.160{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8400-000000000002}3856C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.160{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8400-000000000002}3856C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001762258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_8526b\Description@%%SystemRoot%%\system32\WpnUserService.dll,-2 13241300x80000000000000001762257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_8526b\FailureActionsBinary Data 13241300x80000000000000001762256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_8526b\Security\SecurityBinary Data 13241300x80000000000000001762255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_8526b\DisplayNameWindows Push Notifications User Service_8526b 13241300x80000000000000001762254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_8526b\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000001762253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_8526b\ErrorControlDWORD (0x00000000) 13241300x80000000000000001762252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_8526b\StartDWORD (0x00000003) 13241300x80000000000000001762251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_8526b\TypeDWORD (0x000000e0) 13241300x80000000000000001762250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_8526b\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-14000 13241300x80000000000000001762249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_8526b\FailureActionsBinary Data 13241300x80000000000000001762248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_8526b\Security\SecurityBinary Data 13241300x80000000000000001762247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_8526b\DisplayNameUser Data Access_8526b 13241300x80000000000000001762246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_8526b\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000001762245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_8526b\ErrorControlDWORD (0x00000000) 13241300x80000000000000001762244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_8526b\StartDWORD (0x00000003) 13241300x80000000000000001762243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_8526b\TypeDWORD (0x000000e0) 13241300x80000000000000001762242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_8526b\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-10002 13241300x80000000000000001762241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_8526b\FailureActionsBinary Data 13241300x80000000000000001762240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_8526b\Security\SecurityBinary Data 13241300x80000000000000001762239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_8526b\DisplayNameUser Data Storage_8526b 13241300x80000000000000001762238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_8526b\ImagePathC:\Windows\System32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000001762237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_8526b\ErrorControlDWORD (0x00000000) 13241300x80000000000000001762236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_8526b\StartDWORD (0x00000003) 13241300x80000000000000001762235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_8526b\TypeDWORD (0x000000e0) 13241300x80000000000000001762234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_8526b\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-15000 13241300x80000000000000001762233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_8526b\FailureActionsBinary Data 13241300x80000000000000001762232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_8526b\Security\SecurityBinary Data 13241300x80000000000000001762231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_8526b\DisplayNameContact Data_8526b 13241300x80000000000000001762230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_8526b\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000001762229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_8526b\ErrorControlDWORD (0x00000000) 13241300x80000000000000001762228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_8526b\StartDWORD (0x00000003) 13241300x80000000000000001762227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_8526b\TypeDWORD (0x000000e0) 13241300x80000000000000001762226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_8526b\Description@%%SystemRoot%%\system32\APHostRes.dll,-10001 13241300x80000000000000001762225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_8526b\FailureActionsBinary Data 13241300x80000000000000001762224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_8526b\Security\SecurityBinary Data 13241300x80000000000000001762223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_8526b\DisplayNameSync Host_8526b 13241300x80000000000000001762222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_8526b\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000001762221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_8526b\ErrorControlDWORD (0x00000000) 13241300x80000000000000001762220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_8526b\StartDWORD (0x00000002) 13241300x80000000000000001762219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_8526b\TypeDWORD (0x000000e0) 13241300x80000000000000001762218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_8526b\Description@%%SystemRoot%%\system32\cdpusersvc.dll,-101 13241300x80000000000000001762217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_8526b\FailureActionsBinary Data 13241300x80000000000000001762216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_8526b\Security\SecurityBinary Data 10341000x80000000000000001762215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.145{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.145{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.145{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001762212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_8526b\DisplayNameCDPUserSvc_8526b 13241300x80000000000000001762211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_8526b\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000001762210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_8526b\ErrorControlDWORD (0x00000001) 10341000x80000000000000001762209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.145{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001762208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_8526b\StartDWORD (0x00000002) 13241300x80000000000000001762207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:35.145{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_8526b\TypeDWORD (0x000000e0) 10341000x80000000000000001762206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.145{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001762205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.082{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C4B25146F3699BB1F72256834B1AC1,SHA256=C0EE4FC484BC3434CE6CEE1CF0026C7B48BC3A0EDB48D07FCEC55858C4578DFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.082{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFAA-6156-8700-000000000002}3708C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.067{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFAA-6156-8700-000000000002}3708C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001762202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.067{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000001762201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-10-01 07:58:35.067{5EBD8912-BF43-6156-0F00-000000000002}352\TSVCPIPE-3e404367-1aef-4e9f-be81-91650a0568d8C:\Windows\System32\svchost.exe 18141800x80000000000000001762200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-10-01 07:58:35.035{5EBD8912-BF43-6156-0F00-000000000002}352\TSVCPIPE-3e404367-1aef-4e9f-be81-91650a0568d8C:\Windows\System32\svchost.exe 10341000x80000000000000001762199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.035{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.020{5EBD8912-BFAA-6156-8800-000000000002}10163420C:\Windows\System32\RuntimeBroker.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001762197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.020{5EBD8912-BFAA-6156-8800-000000000002}10163420C:\Windows\System32\RuntimeBroker.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001762196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.020{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFAA-6156-8700-000000000002}3708C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.020{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFAA-6156-8700-000000000002}3708C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.020{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAA-6156-8700-000000000002}3708C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001762193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-10-01 07:58:35.020{5EBD8912-BF43-6156-0F00-000000000002}352\TSVCPIPE-3e404367-1aef-4e9f-be81-91650a0568d8C:\Windows\System32\svchost.exe 10341000x80000000000000001762192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.020{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAA-6156-8700-000000000002}3708C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.020{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAA-6156-8700-000000000002}3708C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.020{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAA-6156-8700-000000000002}3708C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.020{5EBD8912-BF43-6156-1600-000000000002}12961944C:\Windows\system32\svchost.exe{5EBD8912-BFAA-6156-8700-000000000002}3708C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.020{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-BFAA-6156-8700-000000000002}3708C:\Windows\System32\rdpclip.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.020{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAA-6156-8700-000000000002}3708C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.020{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAA-6156-8700-000000000002}3708C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001762185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-10-01 07:58:35.004{5EBD8912-BF43-6156-0F00-000000000002}352\TSVCPIPE-3e404367-1aef-4e9f-be81-91650a0568d8C:\Windows\System32\svchost.exe 23542300x80000000000000001762421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.966{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=03178703EDB933DD8805B07372D78B5E,SHA256=2F8E057DB8C781E81BDC39896AF958709D157D2398FCA035453ABC496D9CA460,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.951{5EBD8912-BFAB-6156-8B00-000000000002}41364276C:\Windows\system32\taskhostw.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001762419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-10-01 07:58:36.951{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Control Panel\Desktop\LastUpdatedDWORD (0xffffffff) 13241300x80000000000000001762418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-10-01 07:58:36.951{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Control Panel\Desktop\TranscodedImageCountDWORD (0x00000001) 10341000x80000000000000001762417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.935{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.935{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.935{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.935{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.920{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.920{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.920{5EBD8912-BF43-6156-1600-000000000002}12961944C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\shsvcs.dll+11f99|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001762410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.920{5EBD8912-BF43-6156-1600-000000000002}12961944C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x101068C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\shsvcs.dll+11f27|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001762409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.904{5EBD8912-BFAB-6156-8B00-000000000002}41364276C:\Windows\system32\taskhostw.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.904{5EBD8912-BFAB-6156-8B00-000000000002}41364276C:\Windows\system32\taskhostw.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.904{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.904{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001762405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.857{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E33B0BBE3C87625B00788738E06FA1,SHA256=138F51BD7881133DD1C35ABF09B9DB094497FF6688ABB4F910A02D801E21C67F,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001762404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.228{5EBD8912-BF53-6156-2200-000000000002}2668WIN-DC-4290fe80::65e5:9cae:dd2b:361b;C:\Windows\System32\spoolsv.exe 22542200x80000000000000001762403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.227{5EBD8912-BF53-6156-2200-000000000002}2668WIN-DC-429010.0.1.14;C:\Windows\System32\spoolsv.exe 22542200x80000000000000001762402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:34.914{5EBD8912-BF53-6156-2200-000000000002}2668WIN-DC-4290fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\spoolsv.exe 23542300x80000000000000001668694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:36.502{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4480E2135DA7542BDFF9C7D0C0A94FD9,SHA256=FA639A1E6A112E6A7681EEC3F07B440EFE2B79F5FC46253BAD962E984E1EDA5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.607{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9F4781D5933143E9E417FB1FBD3CD8C,SHA256=3BCA0AC7A775F7C5ACDA63E6873456E3CCE8EC309FBBCA396C5C932B9D42F60E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.592{5EBD8912-BFAB-6156-8B00-000000000002}41364276C:\Windows\system32\taskhostw.exe{5EBD8912-BFAC-6156-9300-000000000002}4672C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.592{5EBD8912-BFAB-6156-8B00-000000000002}41364276C:\Windows\system32\taskhostw.exe{5EBD8912-BFAC-6156-9300-000000000002}4672C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.590{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.590{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.588{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.587{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.587{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.587{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.465{5EBD8912-BFAA-6156-8800-000000000002}10163372C:\Windows\System32\RuntimeBroker.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001762391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.465{5EBD8912-BFAA-6156-8800-000000000002}10163372C:\Windows\System32\RuntimeBroker.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001762390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.379{5EBD8912-BF43-6156-1600-000000000002}12961944C:\Windows\system32\svchost.exe{5EBD8912-BFAC-6156-9300-000000000002}4672C:\Windows\System32\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.379{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-BFAC-6156-9300-000000000002}4672C:\Windows\System32\win32calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.332{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.332{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.332{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-BFAC-6156-9300-000000000002}4672C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.332{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.332{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.332{5EBD8912-BFAB-6156-9000-000000000002}45164616C:\Windows\System32\calc.exe{5EBD8912-BFAC-6156-9300-000000000002}4672C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+3d433|C:\Windows\System32\SHELL32.dll+3d2fb|C:\Windows\System32\SHELL32.dll+3cc17|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x80000000000000001762382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.321{5EBD8912-BFAC-6156-9300-000000000002}4672C:\Windows\System32\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=B31A19BA38F110838119299B50517073,SHA256=D7B378A4BC4DEAE748462D216D14A20CCB1BAC1D3FFBC67711DB2CC1D8B182B7,IMPHASH=83A6FF176255FE0F3F902360860DA5F8{5EBD8912-BFAB-6156-9000-000000000002}4516C:\Windows\System32\calc.exeC:\Windows\System32\calc.exe 23542300x80000000000000001762381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.254{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3728FEF9FB310847E7C328556EF2123D,SHA256=F0C62EE67255D605D44EE05B70E7CDE34C6589225301F9F073E2AEC72E48F244,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.207{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BFAB-6156-9000-000000000002}4516C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.207{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BFAB-6156-9000-000000000002}4516C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.176{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.176{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.004{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9000-000000000002}4516C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.004{5EBD8912-BF43-6156-1600-000000000002}12961944C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9000-000000000002}4516C:\Windows\System32\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:36.004{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9000-000000000002}4516C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001668695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:37.711{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51CE5FFE5FC588CBFE58E1F05D7E5F9B,SHA256=CBC8AC184BE2F4DD77BC7F0805FCBCA3698E811ACA0DE0EDDEA4EFE01E5BBE38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.966{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.966{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.873{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.873{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.873{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.873{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.873{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.873{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.873{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001762509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.873{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 23542300x80000000000000001762508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.857{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77135D38F34F171FEF4983849E19407E,SHA256=C0C2348EFA5EE1FA6D85DEAA1438352CB2352E53EBAE354007AA7758017837F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.841{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A6C1BD97C592CC9C5C25ECEED1092C,SHA256=94294D71C1D0E9B04757A3C7EE3BBD2BA9BCA0E836102F67CEB5CE2E84BD70D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.795{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.795{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001762504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.795{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+1470c|C:\Windows\SYSTEM32\psmserviceexthost.dll+f933|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001762503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.795{5EBD8912-BFAB-6156-8900-000000000002}34524464C:\Windows\system32\sihost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.795{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5266|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.795{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001762500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.795{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001762499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.795{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001762498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.795{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001762497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.795{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.795{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.795{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.779{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.779{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.779{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.779{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.779{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.779{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.779{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+47a1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.779{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7705|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001762486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.779{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7705|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001762485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.779{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.779{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.638{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.638{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.638{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.638{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001762479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-10-01 07:58:37.638{5EBD8912-BFAD-6156-9400-000000000002}4880\TDLN-4880-41C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe 17141700x80000000000000001762478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-10-01 07:58:37.638{5EBD8912-BF53-6156-2800-000000000002}2924\TDLN-4880-41C:\Windows\system32\svchost.exe 10341000x80000000000000001762477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.638{5EBD8912-BF53-6156-2800-000000000002}29244468C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001762476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.638{5EBD8912-BF53-6156-2800-000000000002}29244468C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001762475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.638{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.638{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.623{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001762472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.623{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.623{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.623{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.623{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001762468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.623{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09884C533B16DFAAEA2DA1AA32244539,SHA256=DF979A63CC81BBD8899693D9564B69B27D0A8370943E5CA3C1E2B4E50989D6D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.607{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.607{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.607{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.607{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.607{5EBD8912-BFAB-6156-8900-000000000002}34524464C:\Windows\system32\sihost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001762462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.607{5EBD8912-BFAB-6156-8900-000000000002}34524464C:\Windows\system32\sihost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001762461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.607{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.607{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.591{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001762458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.591{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.591{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.591{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.591{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.591{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.591{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.591{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.591{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.576{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001762449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.576{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001762448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.576{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001762447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.576{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.576{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.576{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.576{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.576{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.576{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.560{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.560{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.560{5EBD8912-BFAB-6156-8B00-000000000002}41364276C:\Windows\system32\taskhostw.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.295{5EBD8912-BF43-6156-1600-000000000002}12961944C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.295{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.295{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.295{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.279{5EBD8912-BFA9-6156-8100-000000000002}37161076C:\Windows\system32\csrss.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.279{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001762432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.279{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+1470c|C:\Windows\SYSTEM32\psmserviceexthost.dll+f933|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001762431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.279{5EBD8912-BFAB-6156-8900-000000000002}34524200C:\Windows\system32\sihost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.263{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.263{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+47a1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.185{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.185{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001762426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-10-01 07:58:37.138{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Control Panel\Desktop\TranscodedImageCountDWORD (0x00000001) 354300x80000000000000001762425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:35.158{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61775-false10.0.1.12-8000- 23542300x80000000000000001762424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.076{5EBD8912-BFAB-6156-9200-000000000002}4576ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Notifications\WPNPRMRY.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.013{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:37.013{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001762607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.888{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A09589ABB144D6B28B2F76387CF4A5F1,SHA256=9D8D5416A49E7D99D035DFEB88346F9276C3DDDC66DCA3D2C91230F413EC39CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.888{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880179F118BDEFFF8D21E0993D9D1F30,SHA256=5C5623E10C25FC68CC8F302BEACA21359459C24D25D1A8AF799F32695BCCC406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:38.779{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639B13BC34ED709F0CA78C65466070F0,SHA256=DCACF9A2EBB8705783EE88320710FE7BD974F1943405818D887345F6E68F4785,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.779{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.779{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.779{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.779{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.779{5EBD8912-BFAB-6156-8900-000000000002}34524200C:\Windows\system32\sihost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001762600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.779{5EBD8912-BFAB-6156-8900-000000000002}34524200C:\Windows\system32\sihost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001762599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.779{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.779{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.779{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001762596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.779{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.779{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.779{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.779{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.607{5EBD8912-BF43-6156-1100-000000000002}4441564C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.560{5EBD8912-BF43-6156-1100-000000000002}4441624C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001762590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.529{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001762589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.529{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A2B1B1FF31BBBD21411A2160916A7F,SHA256=E23DE6DE3643969C5C582FC0D00C047BBD1CC1231BDD86E28DEC09214D3992BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.513{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001762587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.513{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001762586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.513{5EBD8912-BFAB-6156-8900-000000000002}34524192C:\Windows\system32\sihost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001762585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.513{5EBD8912-BFAB-6156-8900-000000000002}34524192C:\Windows\system32\sihost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001762584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.498{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35389FFA6BE803E967E7DB5110AC6B5,SHA256=EE236717ABAFDFAB94674C67DF87A08D3802FDA609D2181ACE7F1582192F0059,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.482{5EBD8912-BFAA-6156-8800-000000000002}10163420C:\Windows\System32\RuntimeBroker.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001762582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.482{5EBD8912-BFAA-6156-8800-000000000002}10163420C:\Windows\System32\RuntimeBroker.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001762581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.466{5EBD8912-BFAA-6156-8800-000000000002}10163372C:\Windows\System32\RuntimeBroker.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001762580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.466{5EBD8912-BFAA-6156-8800-000000000002}10163372C:\Windows\System32\RuntimeBroker.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001762579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.466{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.466{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.466{5EBD8912-BFAB-6156-9200-000000000002}45764812C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.466{5EBD8912-BFAB-6156-9200-000000000002}45764812C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.466{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001762574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.466{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001762573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.451{5EBD8912-BFAB-6156-8B00-000000000002}41364276C:\Windows\system32\taskhostw.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.451{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001762571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.451{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001762570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.451{5EBD8912-BF43-6156-1100-000000000002}4441564C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.451{5EBD8912-BF43-6156-1100-000000000002}4441564C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.388{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.388{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.373{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5266|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.373{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001762564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.373{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001762563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.373{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001762562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.373{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001762561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.373{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001762560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.373{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001762559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.357{5EBD8912-BF43-6156-1100-000000000002}4441564C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.357{5EBD8912-BF43-6156-1100-000000000002}4441564C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.357{5EBD8912-BF43-6156-1100-000000000002}4441564C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.357{5EBD8912-BF43-6156-1100-000000000002}4441564C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.357{5EBD8912-BF43-6156-1100-000000000002}4441564C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.326{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.326{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001762552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.326{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+83c5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b9c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.326{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b3b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.326{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8749|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ae6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.326{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001762548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.326{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001762547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.295{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.295{5EBD8912-BFAB-6156-9200-000000000002}45765084C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001762545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.295{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001762544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.295{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001762543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.295{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001762542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.295{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001762541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.295{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 354300x80000000000000001668696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:36.991{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49723-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001762540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.295{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001762539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.295{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001762538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.295{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001762537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.295{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001762536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.295{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.295{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.295{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.295{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.295{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.295{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.295{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.295{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.295{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001762527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.295{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 23542300x80000000000000001762526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.263{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A463BCF3E07C637ECAB22D9249D5F15,SHA256=F1BB3564AE05BFAD17779C0C3D7899D86898B3FA0C8D0E1B0A5AA36E43AC353F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.216{5EBD8912-BFAA-6156-8800-000000000002}10163420C:\Windows\System32\RuntimeBroker.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001762524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.216{5EBD8912-BFAA-6156-8800-000000000002}10163420C:\Windows\System32\RuntimeBroker.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001762523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.201{5EBD8912-BFAB-6156-8B00-000000000002}41364276C:\Windows\system32\taskhostw.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.091{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.091{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.013{5EBD8912-BF43-6156-1600-000000000002}12961316C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:38.013{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001668698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:39.799{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31BF13A4802930A9A41F82DF04E87302,SHA256=6F0FDA2FA6BEB127D7518EC6FEAFB57F7F1466FF79CC13DDC30044888F661AD0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001762652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:39.826{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000000) 13241300x80000000000000001762651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:39.826{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0001c35a) 13241300x80000000000000001762650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:39.826{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b613-0x9a563a69) 13241300x80000000000000001762649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:39.826{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b699-0xf0d2029f) 13241300x80000000000000001762648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:58:39.826{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b717-0xab541a9f) 10341000x80000000000000001762647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.779{5EBD8912-BF43-6156-1300-000000000002}5041100C:\Windows\System32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\ncbservice.dll+86ee|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.779{5EBD8912-BF43-6156-1300-000000000002}5041100C:\Windows\System32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+86c0|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.716{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.716{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.716{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.701{5EBD8912-BF53-6156-2800-000000000002}29242252C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001762641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.701{5EBD8912-BF53-6156-2800-000000000002}29242252C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 18141800x80000000000000001762640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-10-01 07:58:39.701{5EBD8912-BFAB-6156-9200-000000000002}4576\TDLN-4576-41C:\Windows\Explorer.EXE 17141700x80000000000000001762639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-10-01 07:58:39.701{5EBD8912-BF53-6156-2800-000000000002}2924\TDLN-4576-41C:\Windows\system32\svchost.exe 10341000x80000000000000001762638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.701{5EBD8912-BF53-6156-2800-000000000002}29242252C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001762637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.701{5EBD8912-BF53-6156-2800-000000000002}29242252C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001762636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.701{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.701{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.701{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.701{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.701{5EBD8912-BFAB-6156-9200-000000000002}45765084C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+37bbe|C:\Windows\System32\wpncore.dll+232a3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000001762631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.701{5EBD8912-BFAB-6156-9200-000000000002}45765084C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+38e70|C:\Windows\System32\wpncore.dll+23267|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000001762630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.701{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.701{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.701{5EBD8912-BFAB-6156-9200-000000000002}45765084C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+37bbe|C:\Windows\System32\wpncore.dll+232a3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000001762627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.701{5EBD8912-BFAB-6156-9200-000000000002}45765084C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+38e70|C:\Windows\System32\wpncore.dll+23267|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000001762626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.701{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.701{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.701{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.701{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.701{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.701{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.154{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+1a8f31|C:\Windows\System32\TwinUI.dll+b7ad9|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.154{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+1a8f31|C:\Windows\System32\TwinUI.dll+b7ad9|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.154{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+1a8f31|C:\Windows\System32\TwinUI.dll+b7ad9|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.154{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.154{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.154{5EBD8912-BFAB-6156-9200-000000000002}45764776C:\Windows\Explorer.EXE{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.138{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.138{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.138{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.138{5EBD8912-BFAB-6156-9200-000000000002}45763800C:\Windows\Explorer.EXE{5EBD8912-BFAC-6156-9300-000000000002}4672C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.138{5EBD8912-BFAB-6156-9200-000000000002}45763800C:\Windows\Explorer.EXE{5EBD8912-BFAC-6156-9300-000000000002}4672C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.138{5EBD8912-BFAB-6156-9200-000000000002}45763800C:\Windows\Explorer.EXE{5EBD8912-BFAC-6156-9300-000000000002}4672C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.138{5EBD8912-BFAB-6156-9200-000000000002}45763800C:\Windows\Explorer.EXE{5EBD8912-BFAC-6156-9300-000000000002}4672C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001668699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:40.819{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F58037872A3DA1AC101C5B59713E7CF,SHA256=993FF8E3994D914736E8817665857DA5FA7F5DDEB5DF40A36411CB5E6A8A9D15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:40.045{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CC428CA6310E23E24EF86045906D6A,SHA256=4CA3AEE795A9B13DB50987F86D405A70B575A38C674B20DE4418F61D88D7848C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:40.045{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E7F697780BCD80D1B9E8E2AACC65BB,SHA256=25BF49DC2F484509452AB0564EAA62732E693A752C54A763B3C9BBABB81930C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:41.838{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF11B9D9B28F5228D53BC77AC4AAFA7D,SHA256=80CE560109B291DA567588AFB4E23B082F1E2F170929B24E60E3BED9254E84E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:41.951{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFB1-6156-9600-000000000002}4780C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:41.951{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFB1-6156-9600-000000000002}4780C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:41.920{5EBD8912-BF43-6156-1600-000000000002}12961316C:\Windows\system32\svchost.exe{5EBD8912-BFB1-6156-9600-000000000002}4780C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:41.920{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-BFB1-6156-9600-000000000002}4780C:\Windows\System32\mobsync.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:41.810{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFB1-6156-9600-000000000002}4780C:\Windows\System32\mobsync.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:41.810{5EBD8912-BFA9-6156-8100-000000000002}37161076C:\Windows\system32\csrss.exe{5EBD8912-BFB1-6156-9600-000000000002}4780C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:41.795{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-BFB1-6156-9600-000000000002}4780C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:41.795{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFB1-6156-9600-000000000002}4780C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001762656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.789{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58299- 23542300x80000000000000001762655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:41.060{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=194A56C654374575871D9A506964CBAD,SHA256=8AD5A481047863337F2146EAC2A8FFDDA35D4156107D0DE152C5645A9AEDEDF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:42.858{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A6A3875CDDAEF0278DF511361CD2EE9,SHA256=EE9FCA799529993972C7AE9A98982D9738A01B51A0AF3012242D082F0EDAA5C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:42.810{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CCAE2C4123638276E9116CA391E342C,SHA256=85C93739FED8D4E8E4637013F7BD18D27DDA40F87565974EC84831ADAB5489E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001762666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:39.802{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\explorer.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local61776-false20.199.120.85-443https 23542300x80000000000000001762665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:42.076{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B446BAE6EDECFFA3318E75FFD54D0E2,SHA256=529DF998B2170639EFD1C174D5857A4DE931413F1D78FE29432EB767AB767003,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001668703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:40.519{69CF5F33-BF40-6156-0F00-000000000002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse209.124.239.182-58446-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001668702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:42.121{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7CAFAB963D2975082AE28D3F339F7F5,SHA256=648C9AEA4716F00D0D209FDC8480802B72755A7AAB756D9D61B5617E62C01050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:42.121{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09E0F2C7BD2515D6AAFDA7C838BF694B,SHA256=A4BCDE5734DD53283C61CBDA90F965393B3DAD6685B5CD9C15A4DBDAD00EB5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:43.877{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=830FE5CC89ACFC573E56D71767E347CA,SHA256=8449CAAB2DDE13B9C86B1385388542F4D2643AB6EC45A5B0097DAA8CBC9C4BC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001762670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:41.852{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54263353- 354300x80000000000000001762669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:41.058{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61777-false10.0.1.12-8000- 23542300x80000000000000001762668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:43.107{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED34EC79B1FB5BBEB4428408829E4F58,SHA256=6BA38A2A62F01C7E7D39C97FF36BC810A8A0F25769B93E2F3B854913B97B7F89,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001668706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:42.085{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49724-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x80000000000000001668705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:58:43.124{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69a-0x274c4ba1) 23542300x80000000000000001668710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:44.896{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A682D132AFC805344FDCC0DCC2F965D5,SHA256=E4B29C20A35574D9E18926B9A84C5E1970AC532A2DE5B94BB77B4AD48EA2D0EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:44.312{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-BF44-6156-1E00-000000000002}2128C:\Windows\system32\compattelrunner.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:44.312{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-BF44-6156-1E00-000000000002}2128C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:44.185{5EBD8912-BFAB-6156-8B00-000000000002}41364276C:\Windows\system32\taskhostw.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001762675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:44.123{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDEE178D5055DAD1BE8815C1C219898F,SHA256=39544B1BD4CCBA637E5772252F4E6A8CB555741592ECCA8DEB448D938832516B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001668709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:44.457{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-BF41-6156-2500-000000000002}2520C:\Windows\system32\compattelrunner.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:44.457{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-BF41-6156-2500-000000000002}2520C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:44.013{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001762673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:44.013{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001762672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:44.013{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001762671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:44.013{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001668711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:45.914{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3331EF6F9C81B2EEDB18CD44EC0F8448,SHA256=35964AB56B9BE4BEC8EDF432C5DBDDEB8BB2A9F11A1E0966B13075089734F2A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:45.138{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775CB71C39FA63F6D085BFE0650B9C9C,SHA256=C152EE997AA33DF530A1A8D439E5CFAAFACC6C28010A64F1701BBEA9B3B753C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:46.513{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:46.513{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001762680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:46.201{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E648E75DB52D5A1E751A3FF130FAB63D,SHA256=70DC5BA2E66E205BDFB08D69B677E0156E00A1EBFFB60E2A88231E629DC185DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:46.933{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CE6C378B69003DEBC0680918791265C,SHA256=54F40115A9223369223F7BAF3E6015871C15BCEBF5BDE8EC847D5E31F5DFCE1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:47.951{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4BEA3CABDC00E2BC67852571F71271F,SHA256=AA3BB2D564BDE8D40A3743E22157FE6BE69C55DCFFC0CFDA875580353164BEFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001762690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:46.136{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61778-false10.0.1.12-8000- 23542300x80000000000000001762689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:47.263{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70A1CB5193BA5891064AC9C6E1CD78CB,SHA256=3354623C3B03DB59D50EBB9AE7A3B269F79E6A2D51FBCDA7BF8555BB47974A08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:47.248{5EBD8912-BF53-6156-2800-000000000002}29244468C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001762687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:47.248{5EBD8912-BF53-6156-2800-000000000002}29244468C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001762686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:47.248{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:47.248{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:47.248{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:47.248{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001668715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:48.969{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB92B04A3C979B120C1BB6C3A3F0D494,SHA256=1128BB1CA54BA97DC8C7057D4E1A60148E2D2B06ADB6AFE2255C310AE57EE1F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:48.810{5EBD8912-BF43-6156-1600-000000000002}12961316C:\Windows\system32\svchost.exe{5EBD8912-BFB8-6156-9700-000000000002}1080C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:48.810{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-BFB8-6156-9700-000000000002}1080C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:48.795{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-BFB8-6156-9700-000000000002}1080C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:48.763{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:48.763{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:48.763{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:48.763{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:48.763{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-BFB8-6156-9700-000000000002}1080C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:48.763{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFB8-6156-9700-000000000002}1080C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001762692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:48.762{5EBD8912-BFB8-6156-9700-000000000002}1080C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{5EBD8912-BF43-6156-0C00-000000000002}844C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x80000000000000001762691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:48.295{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4B7B97D52D824A4213AEC21E53EC20,SHA256=6FD84E1DA83BB60106EE386905BC6873100DB1621E1A6A5E22BE4E19D2443F2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:48.750{69CF5F33-BF40-6156-1100-000000000002}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DF9E24009176797F8C655076B5589F03,SHA256=6238C22B1662A63371EDB048D29B68E88AD8285E13AB71FC08AF05B603AABF8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.810{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF163A716E95239E5689382327E5B72F,SHA256=91778D786C97561C6FB3151B7AFC7CD9B7174F844AF061B13B030B7A5D5540AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.810{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF5E12DCDBFA2694D606B1604DE6D310,SHA256=E66484CACE695AE0AB47EF1E0EEB0011C9D720E08B02CBB45FE73FB3C11D2571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.513{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9EBA065EBD15B4F4BCD9F048104427A,SHA256=82219FEA61E6FFDE9C7E6682469CEFE2C7A39F238CCBE43CC34BD585A7B5F6F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.373{5EBD8912-BFB9-6156-9900-000000000002}43364628C:\Windows\system32\conhost.exe{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.357{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.357{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.357{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.357{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.357{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.357{5EBD8912-BFB9-6156-9800-000000000002}45084352C:\Windows\system32\cmd.exe{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001762726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.363{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper"C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5EBD8912-BFB9-6156-9800-000000000002}4508C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetup.cmd" " 10341000x80000000000000001668729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:49.972{69CF5F33-BF40-6156-1300-000000000002}3843392C:\Windows\System32\svchost.exe{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+4609|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:49.972{69CF5F33-BF40-6156-1300-000000000002}3843392C:\Windows\System32\svchost.exe{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:49.956{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:49.956{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:49.956{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-BF3F-6156-0A00-000000000002}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001668724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:47.960{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49725-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001668723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:49.533{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1900-000000000002}1804C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:49.533{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1900-000000000002}1804C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:49.533{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1900-000000000002}1804C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:49.533{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1900-000000000002}1804C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:49.533{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1900-000000000002}1804C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:49.533{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1900-000000000002}1804C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:49.533{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1900-000000000002}1804C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:49.533{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1900-000000000002}1804C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.326{5EBD8912-BFAB-6156-9200-000000000002}45764936C:\Windows\Explorer.EXE{5EBD8912-BFB9-6156-9800-000000000002}4508C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.326{5EBD8912-BFAB-6156-9200-000000000002}45764936C:\Windows\Explorer.EXE{5EBD8912-BFB9-6156-9800-000000000002}4508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.326{5EBD8912-BFAB-6156-9200-000000000002}45764936C:\Windows\Explorer.EXE{5EBD8912-BFB9-6156-9800-000000000002}4508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.326{5EBD8912-BFAB-6156-8B00-000000000002}41364276C:\Windows\system32\taskhostw.exe{5EBD8912-BFB9-6156-9900-000000000002}4336C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.326{5EBD8912-BFAB-6156-8B00-000000000002}41364276C:\Windows\system32\taskhostw.exe{5EBD8912-BFB9-6156-9900-000000000002}4336C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.310{5EBD8912-BFAB-6156-9200-000000000002}45763800C:\Windows\Explorer.EXE{5EBD8912-BFB9-6156-9800-000000000002}4508C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.310{5EBD8912-BFAB-6156-9200-000000000002}45763800C:\Windows\Explorer.EXE{5EBD8912-BFB9-6156-9800-000000000002}4508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.310{5EBD8912-BFAB-6156-9200-000000000002}45763800C:\Windows\Explorer.EXE{5EBD8912-BFB9-6156-9800-000000000002}4508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.310{5EBD8912-BFAB-6156-9200-000000000002}45763800C:\Windows\Explorer.EXE{5EBD8912-BFB9-6156-9800-000000000002}4508C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.310{5EBD8912-BFAB-6156-9200-000000000002}45764804C:\Windows\Explorer.EXE{5EBD8912-BFB9-6156-9900-000000000002}4336C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.310{5EBD8912-BFAB-6156-9200-000000000002}45764804C:\Windows\Explorer.EXE{5EBD8912-BFB9-6156-9900-000000000002}4336C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.310{5EBD8912-BFAB-6156-9200-000000000002}45764804C:\Windows\Explorer.EXE{5EBD8912-BFB9-6156-9900-000000000002}4336C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.310{5EBD8912-BFAB-6156-9200-000000000002}45764804C:\Windows\Explorer.EXE{5EBD8912-BFB9-6156-9900-000000000002}4336C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.310{5EBD8912-BF43-6156-1600-000000000002}12961316C:\Windows\system32\svchost.exe{5EBD8912-BFB9-6156-9900-000000000002}4336C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.310{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-BFB9-6156-9900-000000000002}4336C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.295{5EBD8912-BFB9-6156-9900-000000000002}43364628C:\Windows\system32\conhost.exe{5EBD8912-BFB9-6156-9800-000000000002}4508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.279{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-BFB9-6156-9900-000000000002}4336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.263{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.263{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.263{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.263{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.263{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-BFB9-6156-9800-000000000002}4508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.263{5EBD8912-BFAB-6156-9200-000000000002}45764288C:\Windows\Explorer.EXE{5EBD8912-BFB9-6156-9800-000000000002}4508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\Explorer.EXE+91a26|C:\Windows\Explorer.EXE+11a0b|C:\Windows\Explorer.EXE+1187e|C:\Windows\Explorer.EXE+f7c2|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x80000000000000001762702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:49.261{5EBD8912-BFB9-6156-9800-000000000002}4508C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetup.cmd" "C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x80000000000000001762748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:50.560{5EBD8912-BF43-6156-1600-000000000002}12961316C:\Windows\system32\svchost.exe{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:50.560{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001762746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:48.739{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54265013- 10341000x80000000000000001762745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:50.513{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:50.513{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001762743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-10-01 07:58:50.435{5EBD8912-BFB9-6156-9A00-000000000002}2216\PSHost.132775487293638716.2216.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001762742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:50.357{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2173BEBF79B5C1D48CE370E9C8DC0C0A,SHA256=4FC3D31D21123763A4005C4E37C868579AB859C1116CBB1CAD047228CF1FD799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.817{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0FEBBDFA972060E7B35CB8C47577BF7E,SHA256=C5BF69C1EDED6F2F8997CD3BA843381E42779B9409642CAE7B4F538C7B22C398,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001668767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.802{69CF5F33-BF3F-6156-0A00-000000000002}636712C:\Windows\system32\services.exe{69CF5F33-BFBA-6156-7B00-000000000002}2140C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.802{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBA-6156-7B00-000000000002}2140C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.755{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-BFBA-6156-7B00-000000000002}2140C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.755{69CF5F33-BF3F-6156-0A00-000000000002}636708C:\Windows\system32\services.exe{69CF5F33-BFBA-6156-7B00-000000000002}2140C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.692{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.692{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.692{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-BF3F-6156-0A00-000000000002}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001668760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.567{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0FEBBDFA972060E7B35CB8C47577BF7E,SHA256=C5BF69C1EDED6F2F8997CD3BA843381E42779B9409642CAE7B4F538C7B22C398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.567{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B2696F5D84716874227CFEBF904CF1BB,SHA256=46DB7567515D9D922875B1B8EF90A4D5A0717E510A9273D7C5E1A308904799B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001668758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.535{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-BFBA-6156-7A00-000000000002}1124C:\Windows\System32\msdtc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.535{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-BFBA-6156-7A00-000000000002}1124C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.426{69CF5F33-BF3F-6156-0A00-000000000002}636712C:\Windows\system32\services.exe{69CF5F33-BFBA-6156-7A00-000000000002}1124C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.347{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.347{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.347{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.347{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.347{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.347{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.347{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.347{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.347{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.347{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-BFBA-6156-7A00-000000000002}1124C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.347{69CF5F33-BF3F-6156-0A00-000000000002}636708C:\Windows\system32\services.exe{69CF5F33-BFBA-6156-7A00-000000000002}1124C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001668744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.352{69CF5F33-BFBA-6156-7A00-000000000002}1124C:\Windows\System32\msdtc.exe2001.12.10941.16384 (rs1_release.160715-1616)Microsoft Distributed Transaction Coordinator ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationMSDTC.EXEC:\Windows\System32\msdtc.exeC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{69CF5F33-BF40-6156-E403-000000000000}0x3e40SystemMD5=308F08347923DEEDE7BC03EC7D485841,SHA256=72DB45CA11FE635DF9F8273C38CBEFB8DF5362ADA0CBF6D2B1E570365DC700C0,IMPHASH=D02F3DF332409C5D3F34BA2D38FC4ED4{69CF5F33-BF3F-6156-0A00-000000000002}636C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001668743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.347{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.347{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.347{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-BF3F-6156-0A00-000000000002}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.207{69CF5F33-BF3F-6156-0A00-000000000002}636712C:\Windows\system32\services.exe{69CF5F33-BFBA-6156-7900-000000000002}3584C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.207{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBA-6156-7900-000000000002}3584C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.207{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-BFBA-6156-7900-000000000002}3584C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.207{69CF5F33-BF3F-6156-0A00-000000000002}636708C:\Windows\system32\services.exe{69CF5F33-BFBA-6156-7900-000000000002}3584C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.207{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.207{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.207{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-BF3F-6156-0A00-000000000002}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.081{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.081{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:50.081{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-BF3F-6156-0A00-000000000002}636C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001668730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:49.987{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D5EC8B22A12A36238CB9F44B620A909,SHA256=951BCFF22E158D4EA5F662A805E0A83159DB08C0E40596FA00EC1F48CE378DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:50.326{5EBD8912-BFB9-6156-9A00-000000000002}2216ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_aobu453v.xck.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:50.326{5EBD8912-BFB9-6156-9A00-000000000002}2216ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_r51z4cbp.4vn.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:50.326{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B875731574A62D95A957C660CE3B9847,SHA256=1F8F04BA4F250A948DA8B0A82438D9957C5B23F57451C7C44F8FACFCBEA09F32,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001762738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:50.201{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_r51z4cbp.4vn.ps12021-10-01 07:58:50.201 10341000x80000000000000001762737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:50.185{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001762773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.982{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F77FC062142D9895905BED96AC1DF4AE,SHA256=3215656557D4540591209D4716D911E16F5C61D348B60112E85C1FBE11967AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.935{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=12FE260028D193B95C75A94ECC74BEC4,SHA256=1361C5FDBFFA78E865B9F0B99D98141314FB2CA28656A9CC6E4A6AAE11302A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.888{5EBD8912-BF43-6156-1200-000000000002}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=91426887A6285779F9749784314EF927,SHA256=2421734E0FCD7E3FF0526DB31C323D1114A71B09178AA8B132C370074FE52FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.873{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BCAA54F817CB487DD733E505C736293C,SHA256=FFFA7C4B286502EA5D9F36D64A5A7956F4EA8E1050588DA5960449916B897E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.826{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C08DABD8E78EB0AB929C01A01E8D623D,SHA256=686DCC5208EA3FE3FA1A34810EA566A405A68CD916F4FF12A0CE90F1D3D9F238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.795{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3B68E0232AA168A36F51F7AD57BA5777,SHA256=91ABDDF7243AF79360A8327A098820DC3078371A06D55A0B6C3EF23ACE12FBFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.748{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C820CAB07DEC62B35BDBB5C9E2352346,SHA256=1066D482F647BF8B1E8933B8D500D4FFCA16C810F0203504BBBF5946D4009FB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.716{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=772F3B21D86DD69108473FD17319852C,SHA256=950BE23DACC178D560F9F60E907118273CDDAB520EC4F565FF9E17D7A200560A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.670{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6DF3A0FD6ABB5A67690723342B5E0616,SHA256=E1A541E3BB9AD5923944DBAE3389EFEB94FDE0EE45FD6D050E4642BE057910D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.638{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=05803B74A9D279DE3EA85C8327BD84EC,SHA256=D6BBAAC5DE127D10E603A6B4974B5484DDFE83187CCFC93117B564FFB1E52C03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.607{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=036FBC9C26A1FF4EF1CFB47A673EB9BC,SHA256=DC0E519126ED6FF8B146AFF3F9E2489D787286D06EED243436AF7297C44D0211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.576{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5C81ED4F26599449E17CBE3DD8EE1290,SHA256=1931013E0245CEEF7876E703162F870497F07A33C4649F8CD1C14DDAF8C50991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.529{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=685BB40D3EA25FBD161A9B11B619AF83,SHA256=3409C4091C9882BE85D43EE7ED19DA0D9D2E55239D353DD9D507568F50D0A574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.482{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F535CFC6E1CBEC3EAD936C11F5081098,SHA256=AE62A6E41F9DF3621D18F3285D6CC9BD2684D48164EF5FC33927F304155A3819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.451{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2087D5C8DFD9A282BD1A18AE05A1DF75,SHA256=BA22F68439E2FB2281F9F054CBEEFFB0A9C0B1FA0A805E044742503B9EDCB41C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.404{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A07F7E4C94DEABF09C6A6D39CC5DD3D,SHA256=EAF4CD80BB43935FD332004B93C18AB0EFEC38402AD24E79CA5CB76B326E85EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.976{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AC5FC9CE04DF4779CB96E4DC077CDF33,SHA256=97B162FFC6441C6B80B35FE1C3AD3BE2915AD8A27CB517FEDE53B8A089BEF510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.960{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=872BAC46CCAEABDCD0EC9D1EF22A4516,SHA256=8FAB45ADF040C3AE8B85A0573EC2842AC21F0C9C17C489BB9AA3E249EAB9B810,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001668798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:49.121{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-542.attackrange.local49726-false67.27.159.254-80http 23542300x80000000000000001668797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.741{69CF5F33-BFBA-6156-7B00-000000000002}2140NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\tokens.dat.bakMD5=6F7FAFBD275506EB49D468826027843C,SHA256=EEF546B5DDDA1055EC684B389375DD245738619FA9145FD58C76E4BFD031B215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.537{69CF5F33-BFBA-6156-7B00-000000000002}2140NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\cache\cache.datMD5=68B4CAD46713C7BCF4F72AA7066623B5,SHA256=CAE4DFB78F7BAF797B9C037C33C765F4654C2E0497A97BFF2488870B952DB3AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001668795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.365{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.365{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.365{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.318{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.318{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.318{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.303{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.303{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.303{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.287{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.287{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.287{69CF5F33-BF40-6156-1600-000000000002}12042664C:\Windows\system32\svchost.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000001668783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:49.393{69CF5F33-BF40-6156-1900-000000000002}1804WIN-HOST-5420fe80::e060:eede:318:987a;C:\Windows\System32\spoolsv.exe 22542200x80000000000000001668782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:49.393{69CF5F33-BF40-6156-1900-000000000002}1804WIN-HOST-542010.0.1.15;C:\Windows\System32\spoolsv.exe 22542200x80000000000000001668781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:49.119{69CF5F33-BF40-6156-1900-000000000002}1804WIN-HOST-5420fe80::e060:eede:318:987a;::ffff:10.0.1.15;C:\Windows\System32\spoolsv.exe 10341000x80000000000000001668780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.271{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.256{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.256{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.256{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.256{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.256{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001668774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.224{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30AC902F4566071ABE140109D51AA0DA,SHA256=55C024B5EDAB2CAA551850EF528AAA3CB66EF05E7442E2869DDD013C30DA0CAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.224{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7CAFAB963D2975082AE28D3F339F7F5,SHA256=648C9AEA4716F00D0D209FDC8480802B72755A7AAB756D9D61B5617E62C01050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.099{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24940A8585388AE12A312806C726FBF6,SHA256=8CEC1E78DFC4AF8ED16E384DD659F372E2D1886F37F1607BC5B51F3CF4EE5144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.083{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7B8C357E8586F51BE12D9E28566EBA6A,SHA256=F884C3D45C8563BA63B11BBA1CE000039A9321DF6B6B4CD3E7C2483C4E16337B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.389{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=574392A50AB16C4A6B54A820A388F590,SHA256=945C69A98493C2F83928651398CAFBD2E1E453C91DAC12ACA3843E8B37279F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.341{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C92819D0B9AF531251D01170D43DB035,SHA256=34DF4140785CCA7D852D10E440CF76CC96C60FAB1CBF0B58EB13DFF7C1D51E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.295{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BA5F0D3B8B1A41E4ACF49CC54E2FA04D,SHA256=4B355EB061F301AE0217DF9F9D19BFACD008F718B9CAAF25027FC12E82F0F082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.248{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CCE98D0C4EFC9DC6820460A6B1677702,SHA256=707E918E79EECDDE8BA5A940F2C91C458B4F806A80BF11CEF17A2A6FF134CE68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.170{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3DEFB41BBC2A25E59028B46E890C3617,SHA256=C327B7F51BC58072B3F7E364C641B96FE189903C611F7A67B2C409C10D40C956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.138{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7C02C85CD58EFDAA0961DCCEC0276604,SHA256=7539E47D1823782BE59867E03CECD7FDCD95E0C7973DE975DDA77FADBAE76764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.123{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=07FDD2AC3045B35BD51BEE30AA6633DC,SHA256=71C830BEB8E39A009005134C8BCAC71A7256EB146BA5A130BB95E2C4C87347E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.029{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=50B5A26BC057176AF450AF9A068BF9F9,SHA256=7E58D0C5386486DB419FBFB0C4576476934967EE3D8CDB97B80ED96AF765E7D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:51.013{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7C8458C054018E07DDA05399C14CB088,SHA256=AA6DFCB2C4042EA922C7631ADC1FDDE643C3A2FAE3A31FC48D133CD52EA5F368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.005{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=090E67D2CFA8E8077271225BDBB6FC9F,SHA256=4B5C017FD13A127A77EB981886711F499FB9C6BEF3912ECDD24E2D6751D1F404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:51.005{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=72B83DEE80009769441203E666B68516,SHA256=C81D837A76050133186233045BD76F33830BBD725726269E7D98F72FE34C4003,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.795{5EBD8912-BFB9-6156-9900-000000000002}43364628C:\Windows\system32\conhost.exe{5EBD8912-BFBC-6156-9B00-000000000002}4940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.795{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.795{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.795{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.795{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-BFBC-6156-9B00-000000000002}4940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.795{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.795{5EBD8912-BFB9-6156-9A00-000000000002}22164340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-BFBC-6156-9B00-000000000002}4940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+7d8e81|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+7d828a|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\3143b7407cd40db6cd5387f74bfeadef\Microsoft.PowerShell.Commands.Utility.ni.dll+885e7fc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\3143b7407cd40db6cd5387f74bfeadef\Microsoft.PowerShell.Commands.Utility.ni.dll+885e7fc0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+d3a594be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+d3a33480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+d3a330bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+d44fb3e9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+d39f002d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+d3a53a9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+d3a35aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+d3a35aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+d3a35c2e(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+58e06 154100x80000000000000001762791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.758{5EBD8912-BFBC-6156-9B00-000000000002}4940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\5db3jcdv\5db3jcdv.cmdline"C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper" 11241100x80000000000000001762790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.748{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\5db3jcdv\5db3jcdv.cmdline2021-10-01 07:58:52.748 11241100x80000000000000001762789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 07:58:52.748{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\5db3jcdv\5db3jcdv.dll2021-10-01 07:58:52.748 10341000x80000000000000001762788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.654{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.654{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.654{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001762785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.529{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=10B23D44813A98737855213246361F07,SHA256=975B83BB7C588AF88AF7F4D6FF05CD53FDC6C9D915F9901814F397DFB280D891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.482{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=30690AC8AA217CC83DE28DF6290CF95B,SHA256=4901C4383AA093D8CF24C8AF2D320B603889EEA48B65B6E7D1D3FA2D39808CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.435{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=06EA07DC2706CDF66999DA8EEFD5E9B3,SHA256=54DEBC3E60B289E596FDA15CE5CEAAB1110063E39ECC6F50ABE46A8B3B6D3EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.420{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89CA77B81EAD7E60523D3363212FEA8C,SHA256=655F1941E690BE5014FEEA49895C179E41484F610EB62430EB19CF42E01774C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.388{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4406624D8EAA340F9797CA5505EBF577,SHA256=F627F170226E20BA28F8B2A05C3BE628FA5F7647591D54BBAC151F765EEB6099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.341{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3BD4828DD2C7400906B226F1845DD314,SHA256=1C44A0C56EDF6A342D86EFE9F1723ABD0359AC6AF35D5A91B18983F167A0874A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.310{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F7D2AF372B44F8DF8DB1C1CD7FFF36F6,SHA256=37988B666C18D95ADC6517E0C488D5F0E5B7E30A315D78E494081EF906783158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.263{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D172EF3EE74DCA537A83B94A0710F430,SHA256=55ED22241170EFBD99DD24481CD0C79240DE8043265EF1932F8177C1D52A88DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.201{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0B5C14BE73FC72CB78262B281DB97604,SHA256=2782028854500083F29F0925C01C99ACADBF253F5144187F202D5EB1F9190714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.154{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FB95EF51B7B68D103E56B747057F7D9E,SHA256=89FBA31C6E50ED60F0ED670E339F50414C5CBE0232EF62AB9AA19EEBFC610B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.076{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7795D9941A1050E4D80ED2EB1696665F,SHA256=DC9FA41A43E1CBAE9851E604A27592BF2A8CC230B4409ECB5F674A6A9B157D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.029{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=25324B8FDEA88559677C5D365024477C,SHA256=A79E81CFB96F7EC05506CDC1EFEA3D0163FF236F2C6342CC51E140F6CC78BD30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:52.841{69CF5F33-BF40-6156-1C00-000000000002}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20211001075651-001MD5=E2350FF87285264FC2F693171FD6908F,SHA256=DD0C2B6A4BAA6FC008B19D4F8AE41D7B35D93255AA75D9D1AFF144D5A1F933A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:52.636{69CF5F33-BF40-6156-1300-000000000002}384NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\System32\LogFiles\WMI\SUM.etlMD5=C5ECA511B7B768795915D4F4AD3B4791,SHA256=46E5E817A98A35EFA5167BA4E19366648FE1EDCB186F19170D48189CC5147AD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001668812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:52.557{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:52.557{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:52.557{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:52.557{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:52.557{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:52.557{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:52.542{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:52.542{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:52.542{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BFBB-6156-7C00-000000000002}3976C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001668803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:52.495{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30AC902F4566071ABE140109D51AA0DA,SHA256=55C024B5EDAB2CAA551850EF528AAA3CB66EF05E7442E2869DDD013C30DA0CAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:52.370{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B063B3161FD4663E07F71933E2CF3A77,SHA256=11CA31E3465CD0DA37B155E070CAEB2414FF33ADFB13A41A0F3013E10574DD2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:52.007{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1E2954B8E4776425E0A654D344D31A5F,SHA256=1AAC1845CAA448A391AE3E0C19055BB56644B0770BE2FBFFC93495FC703041BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.748{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF163A716E95239E5689382327E5B72F,SHA256=91778D786C97561C6FB3151B7AFC7CD9B7174F844AF061B13B030B7A5D5540AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.685{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=58D88083385F6906BA9F2FE8F2FC74F5,SHA256=82FE4B528ED892DCCCA09D15988AA6E9793933E20AA097C919F17519D7DD1B02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.685{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F70E6F1C93A7FB666CB517C1538103B,SHA256=40CC5743418775E38DF0948286FAAFF86F9A30A5A2E0F77A322EF3EF1D72F378,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.654{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001762825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.654{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001762824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.654{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001762823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.654{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001762822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.654{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001762821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.654{5EBD8912-BFAB-6156-8900-000000000002}34524464C:\Windows\system32\sihost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.654{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001762819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.654{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001762818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.654{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001762817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.654{5EBD8912-BFAB-6156-8900-000000000002}34524464C:\Windows\system32\sihost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001762816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.089{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61779-false10.0.1.12-8000- 23542300x80000000000000001762815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.341{5EBD8912-BFB9-6156-9A00-000000000002}2216ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\5db3jcdv\5db3jcdv.dllMD5=750201320F6E75042776ED4F59F52335,SHA256=73A628DB1C4619B583CA4D74859B3E20B9A59B019B17073500F70B28D49D0889,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x80000000000000001762814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.341{5EBD8912-BFB9-6156-9A00-000000000002}2216ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\5db3jcdv\5db3jcdv.0.csMD5=D9ACA9FFA16C22410A16DE5D5571469D,SHA256=74E86BCD8E601DAC165642F69B571B651867BE0251D7B3D9498D1F080E4D8391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.326{5EBD8912-BFB9-6156-9A00-000000000002}2216ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\5db3jcdv\5db3jcdv.outMD5=876637ACD2CE7A6522404FCC1C5F1593,SHA256=2B58F4D7955EBA280B4D523AD0129AF02FF18B2610F9E563828F73EB9BDF9377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.326{5EBD8912-BFB9-6156-9A00-000000000002}2216ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\5db3jcdv\5db3jcdv.cmdlineMD5=7A98AD17B63AAD5611F96C4D594A5864,SHA256=0C8EF703BF80819B4FEB5EBA4F62C4F101394DF75C84DF38550F93FE445436E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.295{5EBD8912-BFBC-6156-9B00-000000000002}4940ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\5db3jcdv\CSC74C8FD8D223F4A8D9E0D23FD6CC9D8.TMPMD5=F236A0BB1B7F27F4043156B29981280D,SHA256=244F1222477193355373534857DA2BB89CDE9A2AC8A40A01C6A78C122999EA5A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001762810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 07:58:53.232{5EBD8912-BFBC-6156-9B00-000000000002}4940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\5db3jcdv\5db3jcdv.dll2021-10-01 07:58:52.748 23542300x80000000000000001762809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.232{5EBD8912-BFBC-6156-9B00-000000000002}4940ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\5db3jcdv\5db3jcdv.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.232{5EBD8912-BFBC-6156-9B00-000000000002}4940ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RESF77A.tmpMD5=82777CEC857E98E3C6A41838461ABDBA,SHA256=181EFABDA3279FFEB2E3C8B8AA345919620ACE63525ECFA8B32B80DFDA012E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.185{5EBD8912-BFBD-6156-9C00-000000000002}2848ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RESF77A.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.170{5EBD8912-BFB9-6156-9900-000000000002}43364628C:\Windows\system32\conhost.exe{5EBD8912-BFBD-6156-9C00-000000000002}2848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.170{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.170{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.170{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-BFBD-6156-9C00-000000000002}2848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.170{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.170{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.170{5EBD8912-BFBC-6156-9B00-000000000002}49404960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{5EBD8912-BFBD-6156-9C00-000000000002}2848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001762799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.173{5EBD8912-BFBD-6156-9C00-000000000002}2848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESF77A.tmp" "c:\Users\Administrator\AppData\Local\Temp\5db3jcdv\CSC74C8FD8D223F4A8D9E0D23FD6CC9D8.TMP"C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{5EBD8912-BFBC-6156-9B00-000000000002}4940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\5db3jcdv\5db3jcdv.cmdline" 10341000x80000000000000001668827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.885{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.885{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.885{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.857{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.857{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.857{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001668821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.857{69CF5F33-BF40-6156-1C00-000000000002}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20211001075649-002MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001668820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.857{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.856{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.856{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001668817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.652{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=090E67D2CFA8E8077271225BDBB6FC9F,SHA256=4B5C017FD13A127A77EB981886711F499FB9C6BEF3912ECDD24E2D6751D1F404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.386{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31F9ABDAA28A560076468E857BFB4E0F,SHA256=CCCE4FA364AD11741A634973C357D1741C656E33CD1AE1CF9918CD8D1E7F85C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001668815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.339{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-BF3D-6156-0100-000000000002}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001762843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:54.779{5EBD8912-BFAB-6156-8900-000000000002}34524464C:\Windows\system32\sihost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001762842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:54.763{5EBD8912-BFB9-6156-9A00-000000000002}2216ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:54.670{5EBD8912-BFAB-6156-9200-000000000002}4576ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpgMD5=CE188002F2174FC802614D9546436AEE,SHA256=23F2F4038EF682DDCB2117F26C8FBA93055B9796ADDCEA0007CD5D7FEDF5BFA3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001762840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-10-01 07:58:54.654{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Control Panel\Desktop\TranscodedImageCacheBinary Data 23542300x80000000000000001762839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:54.576{5EBD8912-BFAB-6156-9200-000000000002}4576ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaperMD5=9F66C7A92669117D84AD0084B52D110D,SHA256=9F862D22987EEB12906CB8A85857828C5684B3BD1497D0FBB0F2B6ADA86A6EF6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001762838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-10-01 07:58:54.560{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Control Panel\Desktop\LastUpdatedDWORD (0xffffffff) 13241300x80000000000000001762837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-10-01 07:58:54.560{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Control Panel\Desktop\WallpaperC:\Users\Administrator\AppData\Local\Ec2Wallpaper_Info.jpg 23542300x80000000000000001762836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:54.529{5EBD8912-BF53-6156-2C00-000000000002}3016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:54.466{5EBD8912-BF43-6156-1100-000000000002}4441564C:\Windows\system32\svchost.exe{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001762834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.817{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249730-false10.0.1.14win-dc-429.attackrange.local88kerberos 354300x80000000000000001762833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.815{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249729-false10.0.1.14win-dc-429.attackrange.local88kerberos 354300x80000000000000001762832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:52.812{5EBD8912-BF3D-6156-0100-000000000002}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249728-false10.0.1.14win-dc-429.attackrange.local445microsoft-ds 10341000x80000000000000001762831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:54.248{5EBD8912-BF43-6156-1100-000000000002}4441564C:\Windows\system32\svchost.exe{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:54.248{5EBD8912-BF43-6156-1100-000000000002}4441564C:\Windows\system32\svchost.exe{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001668848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.936{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=17FB29B80B18B78115AE5BF1482E9A06,SHA256=556420CB17B2A349033D436EBFEB4A5C18744D193493980370AA7AB0AC18FF31,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001668847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localT1101SetValue2021-10-01 07:58:54.905{69CF5F33-BF3F-6156-0A00-000000000002}636C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001) 23542300x80000000000000001668846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.673{69CF5F33-BF40-6156-1600-000000000002}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\tmpgptfl.infMD5=F443C7B00E42C58336E9113C4B92A1EA,SHA256=01406B7BD612A8321213382482E44EA2C7B5467B57E17E9C135EAB2A8221FAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.655{69CF5F33-BF40-6156-1600-000000000002}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\gpt00000.domMD5=338F5A9E4E606FC803055C8314E3F366,SHA256=DD15D6AD575AD10CBA979783EE68DC6A5A21ECDABDB4E0678F83870931BBD317,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001668844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.639{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-BF3D-6156-0100-000000000002}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001668843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.639{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-BF3D-6156-0100-000000000002}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001668842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.639{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-BF3D-6156-0100-000000000002}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001668841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.639{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.639{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.639{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.639{69CF5F33-BF3F-6156-0B00-000000000002}644720C:\Windows\system32\lsass.exe{69CF5F33-BF3D-6156-0100-000000000002}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001668837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.639{69CF5F33-BF3F-6156-0B00-000000000002}644720C:\Windows\system32\lsass.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.639{69CF5F33-BF3F-6156-0B00-000000000002}644720C:\Windows\system32\lsass.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001668835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.451{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE0FC5F104763450A744FF88304BEE3,SHA256=5FE34570BD9BF4D91898B004F2297A6171683E8F5F244CC89B981009AF55D066,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001668834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.198{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000001668833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.198{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.198{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.198{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.198{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.198{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.198{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001762872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:54.118{5EBD8912-BF3D-6156-0100-000000000002}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249743-false10.0.1.14win-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001762871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:54.117{5EBD8912-BF3D-6156-0100-000000000002}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249742-false10.0.1.14win-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001762870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:54.116{5EBD8912-BF3D-6156-0100-000000000002}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249741-false10.0.1.14win-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001762869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:54.111{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249740-false10.0.1.14win-dc-429.attackrange.local88kerberos 354300x80000000000000001762868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:54.108{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249739-false10.0.1.14win-dc-429.attackrange.local88kerberos 354300x80000000000000001762867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.796{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local61787-false169.254.169.254-80http 354300x80000000000000001762866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.789{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249738-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001762865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.763{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local61786-false169.254.169.254-80http 354300x80000000000000001762864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.732{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local61785-false169.254.169.254-80http 354300x80000000000000001762863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.681{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local389-false10.0.1.15WIN-HOST-54264932- 354300x80000000000000001762862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.680{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54264931- 354300x80000000000000001762861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.678{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local61784-false8.248.139.254-80http 354300x80000000000000001762860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.675{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249737-false10.0.1.14win-dc-429.attackrange.local88kerberos 354300x80000000000000001762859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.675{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57995- 354300x80000000000000001762858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.668{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local61783-false93.184.220.29-80http 354300x80000000000000001762857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.666{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64618- 354300x80000000000000001762856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.666{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249736-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001762855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.661{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local61782-false169.254.169.254-80http 354300x80000000000000001762854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.620{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local61781-false169.254.169.254-80http 354300x80000000000000001762853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.578{5EBD8912-BFB9-6156-9A00-000000000002}2216C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local61780-false169.254.169.254-80http 354300x80000000000000001762852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.347{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249735-false10.0.1.14win-dc-429.attackrange.local88kerberos 354300x80000000000000001762851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.343{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249734-false10.0.1.14win-dc-429.attackrange.local88kerberos 354300x80000000000000001762850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.329{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249733-false10.0.1.14win-dc-429.attackrange.local88kerberos 354300x80000000000000001762849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.328{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249732-false10.0.1.14win-dc-429.attackrange.local49666- 354300x80000000000000001762848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:53.326{5EBD8912-BF43-6156-0D00-000000000002}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15WIN-HOST-54249731-false10.0.1.14win-dc-429.attackrange.local135epmap 23542300x80000000000000001762847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:55.060{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=91C31F18B71C8B4EA6979E8D7C7FF156,SHA256=F4A0294BB99B36863610820FE159C461FD5EFA121FCABE19A791D88FA83984DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:54.998{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED708AD23C41DDC022453101DB216B6,SHA256=CA6EEAB55B68637B5DC55CA184B73EDC86D57A57D35D83C0714DB114BCD85A32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:54.998{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F306FEB39E2CD69D2FA33AECA592F5B1,SHA256=5C8EB5C69E34F1253B71B6F27E3E49EB12C91497444E02403213F46B91D0D5DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:54.998{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADAB449A78F5B8DE56F174021C288FDA,SHA256=5C73C92E596AA3131368D80B67B8329905A414C43DC56ED485667EF338E4A778,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001668857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.067{69CF5F33-BF3F-6156-0B00-000000000002}644_ldap._tcp.Default-First-Site-Name._sites.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001668856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.741{69CF5F33-BF40-6156-1600-000000000002}1204win-dc-429.attackrange.local0::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000001668855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.195{69CF5F33-BF40-6156-1100-000000000002}1004win-dc-429.attackrange.local0::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 23542300x80000000000000001668854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:55.484{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC3EBB1938788419575C124AD38231C,SHA256=7F196CB88A2D4DB40999E2FEB7343703AC3A632DC4D118E39A62C4934A2150F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:55.234{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1958F72F68CDA15C9E53563C3F0E7C3,SHA256=44E9B6EE65ABCE024FD6E2A7D6BB2F9C925C630F65E6293C93CA22F2F0F1F3D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001668852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.190{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49730-false10.0.1.14-88kerberos 354300x80000000000000001668851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.188{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49729-false10.0.1.14-88kerberos 354300x80000000000000001668850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.185{69CF5F33-BF3D-6156-0100-000000000002}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49728-false10.0.1.14-445microsoft-ds 354300x80000000000000001668849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.039{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49727-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001762875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:54.511{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61788-false10.0.1.12-8089- 23542300x80000000000000001762874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:56.201{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F02AD72A7698D613912B6534D91A5D1D,SHA256=0096D19AFAB98492DA2B2CE6FEE4D46BE426203379F53BFCAD0CEE0445BE25EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:56.201{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B767835945F6A5C757000C1BF35A17E,SHA256=53AB48C9787004DF0AD5CDCEAA181D3E2A9A6046B95035BE6737101A7F2073B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:56.626{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D40CF0168DE56C7948612C0F306C4E,SHA256=91459D3105668B9D86A3E1D3FF1008F222E442BBDA7D06167CC5E39CC1CAC407,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001668870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.491{69CF5F33-BF3D-6156-0100-000000000002}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49743-false10.0.1.14-445microsoft-ds 354300x80000000000000001668869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.490{69CF5F33-BF3D-6156-0100-000000000002}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49742-false10.0.1.14-445microsoft-ds 354300x80000000000000001668868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.489{69CF5F33-BF3D-6156-0100-000000000002}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49741-false10.0.1.14-445microsoft-ds 354300x80000000000000001668867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.484{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49740-false10.0.1.14-88kerberos 354300x80000000000000001668866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.481{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49739-false10.0.1.14-88kerberos 354300x80000000000000001668865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.162{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49738-false10.0.1.14-389ldap 354300x80000000000000001668864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.048{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49737-false10.0.1.14-88kerberos 354300x80000000000000001668863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:54.038{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49736-false10.0.1.14-389ldap 354300x80000000000000001668862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.720{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49735-false10.0.1.14-88kerberos 354300x80000000000000001668861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.716{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49734-false10.0.1.14-88kerberos 354300x80000000000000001668860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.702{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49733-false10.0.1.14-88kerberos 354300x80000000000000001668859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.701{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49732-false10.0.1.14-49666- 354300x80000000000000001668858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:53.699{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49731-false10.0.1.14-135epmap 354300x80000000000000001762877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:55.371{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57395- 23542300x80000000000000001762876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:57.216{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E7A6F7AFD7AC2246F5EF27046923C71,SHA256=0213709025CF588B1DB76966A2EB8EF979EFF6EB032D09E020BC64444228C2B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:57.769{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F59AAFF5B0A957B82C69CC47521675,SHA256=073158B59D360F5BD3DFC5C24C901253DC953C163C3AB96B8EC67AD15A2D12AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:58.279{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7FE89E0AFBE1EA328F1E2241CE45553,SHA256=06E75F347E6CE835A86B3ABF57B6F34EF9E9BE9DF97473034CB0BEAD4ABE34B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:58.895{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4BB4A2200647B16F8F9A163705302F0,SHA256=7D7FDF38A0C8B7BBC5CCFC853E324CA68F338026DEFAF25AA95D8BC1079EAF08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:58.316{69CF5F33-BF40-6156-1A00-000000000002}1872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:59.294{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D1820B5ADA540D3EEC82F63B927E172,SHA256=8F3314BE7D08008543BB705C8C3237940F521806DEA1133A0B8EF9A7135CF5EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001762881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:58:58.074{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61789-false10.0.1.12-8000- 23542300x80000000000000001762880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:00.326{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E88EB3C6295741E9C1E28F06CE9F427,SHA256=F127DDE2878B317A6399D80684AED82AE150823B440F55616BEB65DE25294911,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001668890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:59:00.679{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69a-0x31c2eeb3) 10341000x80000000000000001668889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:00.569{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-BFC4-6156-7D00-000000000002}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:00.569{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:00.569{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:00.569{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:00.569{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:00.569{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:00.569{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:00.569{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:00.569{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:00.569{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:00.569{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-BFC4-6156-7D00-000000000002}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:00.569{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-BFC4-6156-7D00-000000000002}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001668877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:00.570{69CF5F33-BFC4-6156-7D00-000000000002}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001668876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:00.022{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E981F57BB0D1C22823D2E2FE541BBAA1,SHA256=3B8F42DA21C80B93AAE96BE5FE4E1F3E38268C60C7A11AC9CB3996B3F88DE59E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001668875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:58.134{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49744-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001762882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:01.326{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A8471A7148007726D2B1C8538F31256,SHA256=023F73366A606CD5D9355CD97073E5A9ADA92982262873B60635C52D70E29150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:01.629{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92D9193B9A48E37BDDAC6D01540FD120,SHA256=E9FDB749ED4C1AE0ADECE75BA0759512AEB8858CFB0A726F5FD0E676CE481A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:01.629{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD693781A9DCC775AF0D191DDBF1FEEF,SHA256=22A3005B3206804409AFA3FD168D5D8B4962321F012F834DABC6097473B91871,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001668907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:01.343{69CF5F33-BFC5-6156-7E00-000000000002}32003308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001668906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:01.267{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=471BD44664A057C73ACF1BCF5AB90B60,SHA256=1D06101F8379CC1F7E0BC00CD1B2620720FE41846385E3C6B19A2766F133F72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:01.267{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9D95DD09FF7579C9C4D753ED5A706839,SHA256=30B77B179783362FD5400792CCC41A7C9A6D64D955CBF422124BC6558E3F26AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001668904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:01.207{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-BFC5-6156-7E00-000000000002}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:01.207{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:01.207{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:01.207{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:01.207{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:01.207{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:01.207{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:01.207{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:01.207{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:01.207{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:01.207{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-BFC5-6156-7E00-000000000002}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:01.207{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-BFC5-6156-7E00-000000000002}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001668892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:01.208{69CF5F33-BFC5-6156-7E00-000000000002}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001668891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:01.041{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B6BD81AAA97C35377F5655980A70BF0,SHA256=A33B9EED37BA155F69D8C72C3BB075F2EB17F52C2AA586B50D3DD51544D7A677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:02.326{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE251C1FFB05594FCE15BCE36FCBC6F,SHA256=B860302612658C1E9D5FD6EDDAC6F9B44E3C74A089008BD5A8C80A09776B3408,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001668924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:02.189{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-BFC6-6156-7F00-000000000002}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:02.189{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:02.189{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:02.189{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:02.189{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:02.189{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:02.189{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:02.189{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:02.189{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:02.189{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:02.189{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-BFC6-6156-7F00-000000000002}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:02.189{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-BFC6-6156-7F00-000000000002}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001668912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:02.190{69CF5F33-BFC6-6156-7F00-000000000002}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001668911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:02.113{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90EFB12665E54C253995A9024607FAA5,SHA256=6CB6B24FEFEE98139026A5EC802A4D718FDAC50D1F51DFB61867873274F6DAD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001668910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:58:58.854{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49745-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001762884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:03.357{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A798C4E07B796C16D66D3C86E0344E9D,SHA256=2ED88004D4A538E155AE4625DE022FF324C47E7A92D3A8C5EB46637BE8A1DE30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001668940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:03.962{69CF5F33-BFC7-6156-8000-000000000002}25442552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:03.825{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-BFC7-6156-8000-000000000002}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:03.825{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:03.825{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:03.825{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:03.825{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:03.825{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:03.825{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:03.825{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:03.825{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:03.825{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-BFC7-6156-8000-000000000002}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:03.825{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:03.825{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-BFC7-6156-8000-000000000002}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001668927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:03.826{69CF5F33-BFC7-6156-8000-000000000002}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001668926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:03.385{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92D9193B9A48E37BDDAC6D01540FD120,SHA256=E9FDB749ED4C1AE0ADECE75BA0759512AEB8858CFB0A726F5FD0E676CE481A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:03.097{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C523A9474FFD9D329C2EC4EDBA462D5A,SHA256=7B50F80513B0F646C6CC163DE5C58034F13B582DCDEAE32DA3200DDB2A0942BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:04.904{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5432FEAB34147744345715835FD054C,SHA256=F8E7A4C9DC879012AE967A79BA8F68BF696629A99E1FE067AD074A6B2EEAD4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:04.904{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6405A5DBFF9E02EAC94915E551216C3D,SHA256=2CF8CB4A2CC88ADB164F75C827FB582217446873DAE44E318CD8E7450F786C17,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001762886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:03.121{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61790-false10.0.1.12-8000- 23542300x80000000000000001762885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:04.466{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F7D24AF474C886EE61AE234CB9D5C4,SHA256=D1CE3120FFFF0CE6CC7F10624BF6AFAE34455E0DCECB90EEBBC6D8CB3820E944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:04.874{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=145EED2BB61D59A01BE96A2335C489F5,SHA256=A0BCFC4C164AEE2E87EE779258B42E83ED618EB4EBB783F7CA1B43CEC9BE2412,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001668955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:04.858{69CF5F33-BFC8-6156-8100-000000000002}35123452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:04.737{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-BFC8-6156-8100-000000000002}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:04.737{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:04.737{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:04.737{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:04.737{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:04.737{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:04.737{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:04.737{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:04.737{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:04.737{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:04.737{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-BFC8-6156-8100-000000000002}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:04.737{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-BFC8-6156-8100-000000000002}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001668942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:04.737{69CF5F33-BFC8-6156-8100-000000000002}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001668941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:04.084{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AED465DF49448A3207F887CF4411CCB,SHA256=2A01CFB73AAEB2DE734EA0D2957419C4ED13A5E2C7294981BCDE5DE80D41DDFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:05.498{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961D38F83E94F4F950B0E10772D76F79,SHA256=D0DF966D81990B5E191E736D211B3AE5CF5124183F4B6E3D525A1D63A8EB2535,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001668971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:05.513{69CF5F33-BFC9-6156-8200-000000000002}23922424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:05.391{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-BFC9-6156-8200-000000000002}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:05.391{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:05.391{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:05.391{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:05.391{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:05.391{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:05.391{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:05.391{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:05.391{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:05.391{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:05.391{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-BFC9-6156-8200-000000000002}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:05.391{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-BFC9-6156-8200-000000000002}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001668958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:05.391{69CF5F33-BFC9-6156-8200-000000000002}2392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001668957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:05.071{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B60E19D1D0116DECF27E5DAD818FC78,SHA256=40E116DA3A5FF8ABB1323408DDBD2DE9C2E5D9F564D28FA11F9514E095151130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:06.529{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C04FE3D9DF3E2DFA09F36661645D9D,SHA256=0FB5EC6FA66A6ECE29B9E03BF5FE4EB7FB49BC839A6E54015BC708D81B46693B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001668987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:06.915{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-BFCA-6156-8300-000000000002}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:06.915{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:06.915{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:06.915{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:06.915{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:06.915{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:06.915{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:06.915{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:06.915{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:06.915{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:06.915{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-BFCA-6156-8300-000000000002}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001668976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:06.915{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-BFCA-6156-8300-000000000002}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001668975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:06.916{69CF5F33-BFCA-6156-8300-000000000002}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001668974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:06.534{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92F9C4C74903994704B2DD0DAE5050E6,SHA256=DCD4927BC279C965988F8D9F7EBE49C2C2A406DA69022061B133BFE43265A18F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001668973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:04.118{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49746-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001668972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:06.061{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64225A012336E8B3B0BC2218959149C0,SHA256=A2B20BBA39C142B44882FFA513D6A2005C44E5891721DABA5C00BFC428693F8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:07.591{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C1CBC61DDB6D64B17C1350BB8256CC,SHA256=7F189FE5F3057199D11639E32939681A1E0F1C8837AC60EDACCECA90D16E02CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:07.052{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61753375EDBC5BF25A38DC2F38FDA39F,SHA256=836CBBB8EAF6E3541814C9A6069F22EF61F64DD6DF12BD97048AC8AB8CD7369B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:08.656{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=834A9E1865D529778F28360342C0791F,SHA256=E5DFF182A53C514454E60515CC319D378C310A5EF7323226DCA1C6EFB0A3A9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:08.045{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7963CFF3C079A5FF407C4645087490C,SHA256=DD4DD68DE0B757D59D35BBA0F9B0F56D3E3ADE321E01361640F500B75AFD1F14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:08.015{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5EDEF24879F9BBD5F537C06722A2C27,SHA256=B45394A535BB446B3B1F1F66F871CB2B4FFA2BEEF8A3FDF5E0428E17489592EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:09.685{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F00ADD94041BB7D13875B5FC38B9959,SHA256=01B023447628303A715AA9A4E3AD6F312744C9E9F6513B78F78C92A1B29B962A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:09.040{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D51A7C5F23F1039D1BCC3EF0CCA5863,SHA256=DFD68A8766A47B13AD431B5A4D2660CD3B5E836B7936A480E4B7A87A9404CCD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.951{5EBD8912-BF41-6156-0B00-000000000002}636676C:\Windows\system32\lsass.exe{5EBD8912-BFCE-6156-9E00-000000000002}5600C:\Windows\System32\msdtc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.951{5EBD8912-BF41-6156-0B00-000000000002}636676C:\Windows\system32\lsass.exe{5EBD8912-BFCE-6156-9E00-000000000002}5600C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.873{5EBD8912-BF41-6156-0A00-000000000002}628700C:\Windows\system32\services.exe{5EBD8912-BFCE-6156-9E00-000000000002}5600C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.763{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.763{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.748{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.748{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.748{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-BFCE-6156-9E00-000000000002}5600C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.748{5EBD8912-BF41-6156-0A00-000000000002}6282712C:\Windows\system32\services.exe{5EBD8912-BFCE-6156-9E00-000000000002}5600C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001762916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.757{5EBD8912-BFCE-6156-9E00-000000000002}5600C:\Windows\System32\msdtc.exe2001.12.10941.16384 (rs1_release.160715-1616)Microsoft Distributed Transaction Coordinator ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationMSDTC.EXEC:\Windows\System32\msdtc.exeC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{5EBD8912-BF43-6156-E403-000000000000}0x3e40SystemMD5=308F08347923DEEDE7BC03EC7D485841,SHA256=72DB45CA11FE635DF9F8273C38CBEFB8DF5362ADA0CBF6D2B1E570365DC700C0,IMPHASH=D02F3DF332409C5D3F34BA2D38FC4ED4{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001762915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.748{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.748{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.748{5EBD8912-BF41-6156-0B00-000000000002}636676C:\Windows\system32\lsass.exe{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001762912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.685{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5BD30F5476B392F83F2A99714FCB8BA,SHA256=DB0356216CDA9F9A63C7602C913326A534438676D7CDA9D2B0926AED781DD766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:10.020{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=987332D84C256121E8782DD770BF6B93,SHA256=26540C1DD6B70930CD83D81E8F975BE0E8215DFA4991D027433BE383415DC0CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.498{5EBD8912-BF41-6156-0A00-000000000002}628700C:\Windows\system32\services.exe{5EBD8912-BFCE-6156-9D00-000000000002}5556C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.498{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFCE-6156-9D00-000000000002}5556C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.482{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-BFCE-6156-9D00-000000000002}5556C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.482{5EBD8912-BF41-6156-0A00-000000000002}6282712C:\Windows\system32\services.exe{5EBD8912-BFCE-6156-9D00-000000000002}5556C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.482{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.482{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.482{5EBD8912-BF41-6156-0B00-000000000002}636676C:\Windows\system32\lsass.exe{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.357{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.357{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.357{5EBD8912-BF41-6156-0B00-000000000002}636676C:\Windows\system32\lsass.exe{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.294{5EBD8912-BF43-6156-1300-000000000002}5041100C:\Windows\System32\svchost.exe{5EBD8912-BF43-6156-1100-000000000002}444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\ncbservice.dll+165c|c:\windows\system32\ncbservice.dll+227a|c:\windows\system32\ncbservice.dll+205e|c:\windows\system32\ncbservice.dll+1bdb|c:\windows\system32\ncbservice.dll+181b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.294{5EBD8912-BF43-6156-1300-000000000002}5041100C:\Windows\System32\svchost.exe{5EBD8912-BF43-6156-1100-000000000002}444C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+1969|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.294{5EBD8912-BF43-6156-1300-000000000002}5041100C:\Windows\System32\svchost.exe{5EBD8912-BF43-6156-1100-000000000002}444C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+17cf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.294{5EBD8912-BF43-6156-1300-000000000002}5041100C:\Windows\System32\svchost.exe{5EBD8912-BF43-6156-1100-000000000002}444C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.232{5EBD8912-BF43-6156-1300-000000000002}5041100C:\Windows\System32\svchost.exe{5EBD8912-BF43-6156-1100-000000000002}444C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.232{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.232{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:10.232{5EBD8912-BF41-6156-0B00-000000000002}636676C:\Windows\system32\lsass.exe{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001762964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.973{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4866F3E89C7B9F6299C98D69A708F1C,SHA256=260115DF533B33833502C5335CDE018AFC290E642D1A2B3977AAF6F4986661F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.973{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DC9C86776413B1F794C39662B535827F,SHA256=965CD0D329FCC448D2A7142B9B12070D70B7DB859060E7659A322946BFA4FF63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.926{5EBD8912-BFCF-6156-9F00-000000000002}5672NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\cache\cache.datMD5=3AF22E0FB6FCE10200330CEDE8C8D5F6,SHA256=31C8D7168223F37FA06051E8793EB076E911C0C7C949248F032527E0622889D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.768{5EBD8912-BF53-6156-2600-000000000002}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20211001075710-001MD5=E961008872A85D9E7B2EDCDB9076BE5A,SHA256=4C7B4263F3F8553ACCFCCC53A0FA56737D447810FFCB4A43A3BA8D688A9FDFED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.703{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.703{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.703{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.703{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.703{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.703{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.687{5EBD8912-BF43-6156-1600-000000000002}12965760C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+8d212|C:\Windows\system32\wbem\wmiprvsd.dll+8dfd1|C:\Windows\system32\wbem\wmiprvsd.dll+3b42f|C:\Windows\system32\wbem\wmiprvsd.dll+d4be|C:\Windows\system32\wbem\wbemcore.dll+2af4f|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001668993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:11.017{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F0F564C8689E945294EBC5773D472F3,SHA256=6117F765329C53E81A5915247AB9E0F07C46E9D49BBDAD491DCBD56B64BF2DBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.656{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.640{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.640{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.640{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.640{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.640{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.640{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.640{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.640{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.640{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.640{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.640{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001762941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.312{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C25F5AC5165B8051D03217CA5CB180D0,SHA256=C5ACAA3DDC2558E810E6A033CA14FC5FB88EFB7C6F993EEC16CC090445000456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.312{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C25F5AC5165B8051D03217CA5CB180D0,SHA256=C5ACAA3DDC2558E810E6A033CA14FC5FB88EFB7C6F993EEC16CC090445000456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.312{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B870439CAF57E5FAD2D492F6640E37A4,SHA256=004654E3763F69B4370A4393248DFB47B5726D45BB67A537D1BB907A0A7D3DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.297{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=525724CA7D5598CD09E000B2EF8A6D9D,SHA256=E55187AAC206ABD5DB4EC7F791A31DD18F695721319CDB61DE537D9EA08A7D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.297{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5432FEAB34147744345715835FD054C,SHA256=F8E7A4C9DC879012AE967A79BA8F68BF696629A99E1FE067AD074A6B2EEAD4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.281{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4FE67F6857C431052856730C5E4398AE,SHA256=F351E3CA4A18E1083DC6C8305E4D71A9FBF2D07DB5ED06A0ECFED41BB556F09B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.281{5EBD8912-BF41-6156-0A00-000000000002}628700C:\Windows\system32\services.exe{5EBD8912-BFCF-6156-9F00-000000000002}5672C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.281{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFCF-6156-9F00-000000000002}5672C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.216{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-BFCF-6156-9F00-000000000002}5672C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001762932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.216{5EBD8912-BF41-6156-0A00-000000000002}6282712C:\Windows\system32\services.exe{5EBD8912-BFCF-6156-9F00-000000000002}5672C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.138{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.138{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.138{5EBD8912-BF41-6156-0B00-000000000002}636676C:\Windows\system32\lsass.exe{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001762928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:08.199{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61791-false10.0.1.12-8000- 23542300x80000000000000001762927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.013{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4FE67F6857C431052856730C5E4398AE,SHA256=F351E3CA4A18E1083DC6C8305E4D71A9FBF2D07DB5ED06A0ECFED41BB556F09B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:11.013{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8D6E8D2A2C0C8A0ABF62CBBBBF613212,SHA256=B0E4B420B7704A7BC414ADA792CE487F18BB7C0AC61AF71D0E5D1117D927945E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.860{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.860{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.860{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.860{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.860{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.860{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.845{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.845{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.845{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.845{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.845{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.845{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.829{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.829{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.829{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.829{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.829{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001762974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.829{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF56-6156-4700-000000000002}3700C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001762973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.776{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXEC:\Temp\New Text Document.txt2021-10-01 07:59:12.775 23542300x80000000000000001762972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.770{5EBD8912-BF53-6156-2600-000000000002}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20211001075708-002MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.692{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098CF8280CB2750B00EFB6CF9A719EC7,SHA256=4EA33AB614403AE16CFDB32BF9F9EEAEA49296DFAB51520AD3E62D3A7D837B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:12.230{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C36FF70381850AE8D32936D2BF1E351,SHA256=500E8C5669292DED811508B89D8BEB6E7CBAF6248A2FF945EC28FDEC8797E022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.442{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=218209A8306EBDBAAF962346302738C4,SHA256=EBE3E04A7DD2F9EB9E9A5BD8CB56170B63ED1FD3B1F4AD7A5DB1E8D9E9909EAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001762969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.442{5EBD8912-BFCF-6156-9F00-000000000002}56725708C:\Windows\system32\sppsvc.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+7eaa8|C:\Windows\system32\sppsvc.exe+748f0|C:\Windows\system32\sppsvc.exe+957de|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4 10341000x80000000000000001762968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.442{5EBD8912-BFCF-6156-9F00-000000000002}56725708C:\Windows\system32\sppsvc.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+74a0a|C:\Windows\system32\sppsvc.exe+95791|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001762967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.410{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FB9598DC068B8CE53D2A81A151FA0EE0,SHA256=F47BE6C57AF1E54551009CF3592A36E3D0FB4C921259B7D8F9A35675FF135417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.395{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CFBF6B392C1698E6D387C3BD51D2BB93,SHA256=BA4499218286EDF9D5E3C546EB8E9E79CEE435097B0DBD4D446972C5580A2465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:12.160{5EBD8912-BFCF-6156-9F00-000000000002}5672NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\tokens.dat.bakMD5=D6189FFD1732C3A420F4514F53B2F66A,SHA256=2D32BCBE0A8D7312BCF3C3F8AC3CE189E13337178A08D39461A65983BADC85F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:13.974{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6BA21611A282049E75AD203940317842,SHA256=977D1288A5706D94B69628679B945CF8AE3EA72432F9EE01463F6BA51D1DF6E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:13.693{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044E976E8259873E9BB2A4A76AB566F5,SHA256=3F9514FB1F0369F8F2907FA6CAC0DD3439A8B3AEFE3ADF0CC85810B8D97D8C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:13.429{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C37ED4E457F824689D174A2D8126A2,SHA256=8865D7FDA802E42F578193BEEE6C05575882D0E05C981028E971929F6745DAEA,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001762993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:13.173{5EBD8912-BFAB-6156-8A00-000000000002}916C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x80000000000000001762992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:13.001{5EBD8912-BF43-6156-1300-000000000002}504NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\System32\LogFiles\WMI\SUM.etlMD5=1C27EF00B2CE4EBE6F66880B40F9F1FD,SHA256=25FFAD53D8F527179C5789E854AFED0AFDE80F4FD86CAE7EA3535665C2EFA8BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001668995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:10.258{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49747-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001668997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:14.460{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F059ED1116935D889ED7FC046FDB9C0,SHA256=753BA80A95B47D1C9D5404B0484054E16834DEB4BC243A88493D32374999E4FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:14.708{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9455A1D5CF005344303EE7E5A2A2D338,SHA256=BF23B63EDF6FDC878EE38D8FB349BF69F818E4502C085396991E3E8AF834B3DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001668998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:15.678{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC22825268B324B0A664419B02D654F,SHA256=334E0425FC892FCFC424B95C54DA618BB50AE02C0BD4562414E5CF317960014B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:15.724{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA5D4140417AEC7CC34DBCA5D0C63C8,SHA256=F54781AE30B60D1FB91159F2C9CB66A91E051A0D42264872691688A0AF6426FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:15.414{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49748-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:16.897{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E06234A930EC719AB5F6220DAB474EF4,SHA256=35268C191BEEB5FF5E2C12CDCD1A0B1BBF700E7E5FBA681394C0A03A122DAEAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001762998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:16.740{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=901D316FECB976E61B7ED4CB73FCF8CB,SHA256=60DFEA5C15E8D56AB60C396CE79BCDAE9BA85B5A93F03553C802B4BB086A3E08,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001668999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:59:16.387{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69a-0x3b1fd113) 23542300x80000000000000001763000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:17.740{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F5CA05058587D8070EA43D6A8DD62F,SHA256=C6B9B45615CC7CAE2C5988BDA98E971026BFC9616EE1CA9F35231967B876EE1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001762999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:14.175{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61792-false10.0.1.12-8000- 23542300x80000000000000001763004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:18.755{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604D4DEE2808BB4CC46833F240267BB2,SHA256=6388F5DAAC44EB786763FCED6D2591D54BE5A6A7935FDD04398866312C2AC77E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001763003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:18.630{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2021-09-27 08:51:58.895 23542300x80000000000000001763002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:18.630{5EBD8912-BFAB-6156-9200-000000000002}4576ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=31576E973D6F0146DF5509FEB549E92E,SHA256=84F88D93F7183805FFDBEB9476C787BC0435DD292FBD867F921511E3B04FB5C8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001763001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:18.333{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\1.vbs.lnk2021-10-01 07:59:18.333 23542300x80000000000000001669002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:18.008{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=408617427DA472CE9F5BAD770D0288C0,SHA256=717A004906F153E60A2B722E3A432B1617FEB90FDEB36DA0F4B6C0ABDECCABCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:19.755{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACDAEBF3FA46FE47FB0767A96B9C5B46,SHA256=734408365AA9C686322BF83209E07FEBC0EDA8554C4C97DAEFF3DC5B1195A52A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:19.013{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04EBF93E4C3239BECE353EE5AAD452A,SHA256=02661342046ED291A95845F15921DBC6D8AB76E8476D42F81066234469AC1CB0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001763005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 07:59:19.521{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{60254CA5-953B-11CF-8C96-00AA00B8708C} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 23542300x80000000000000001763007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:20.786{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5135D75AC45CCA266FCBD681BE3E6C2,SHA256=5ACE9CD8294E8AB3BC32058C84CD0DB18DF681A8FE0FEDC283D19C1CE41062DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:20.822{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2FD747810381EEF83E3FAD969F41AC7E,SHA256=EC7268540D7F97EDA79A185F96AF6A94887C80815AD1C71ECE8FA4A619E27C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:20.822{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=471BD44664A057C73ACF1BCF5AB90B60,SHA256=1D06101F8379CC1F7E0BC00CD1B2620720FE41846385E3C6B19A2766F133F72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:20.018{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78EF65FCE928202C9163026A787C0DED,SHA256=26E17ABB868F4AA52D52EDF78794DAE8F90F06F034593486C81A64F91E58E044,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.958{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-BFD9-6156-A200-000000000002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.958{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.958{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.958{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.958{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.958{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-BFD9-6156-A200-000000000002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.958{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-BFD9-6156-A200-000000000002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.804{5EBD8912-BFD9-6156-A200-000000000002}6120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.849{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41A0C0BC12A84D1BA03EC7CA5665E6CD,SHA256=60978E65A7C4AD72D3379435B13972C5A97F2744D6CFB4AC187FC813F2CD0743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:21.658{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4F4520A10EAE93E240377526CFBF3234,SHA256=A923784CD1DF4CDE8918EE49C2246C4C5EB4D33C33071B2F3BE90DA5DCCF3839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:21.643{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4F4520A10EAE93E240377526CFBF3234,SHA256=A923784CD1DF4CDE8918EE49C2246C4C5EB4D33C33071B2F3BE90DA5DCCF3839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:21.643{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5A5442A68EA54BA571B7ECD65192C9BF,SHA256=612CDE899FE82CD0AEBBDF1BCBC1C7DECA52CDA8D4ECC57377D42C14B353348D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:21.612{69CF5F33-BF3F-6156-0B00-000000000002}644940C:\Windows\system32\lsass.exe{69CF5F33-BFBA-6156-7B00-000000000002}2140C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cca|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:21.612{69CF5F33-BF3F-6156-0B00-000000000002}644940C:\Windows\system32\lsass.exe{69CF5F33-BFBA-6156-7B00-000000000002}2140C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001669008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:21.441{69CF5F33-BFBA-6156-7B00-000000000002}2140NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\cache\cache.datMD5=BCD962194635CDE62C15E86334907AA3,SHA256=87709C0C8BC0165A5E6461EFA8A6337CC7CB780D68EF332AA05E6238BF698716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:21.023{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51979FA0F05C743CC1E0D8392A9F420C,SHA256=4B2432E7439EF3459BDB701B0BE423D9EC08B2DE7E64954A6F08DD24AC3EB303,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.724{5EBD8912-BFAB-6156-8B00-000000000002}41364276C:\Windows\system32\taskhostw.exe{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.724{5EBD8912-BFAB-6156-8B00-000000000002}41364276C:\Windows\system32\taskhostw.exe{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.708{5EBD8912-BFAB-6156-9200-000000000002}45764804C:\Windows\Explorer.EXE{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.708{5EBD8912-BFAB-6156-9200-000000000002}45764804C:\Windows\Explorer.EXE{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.708{5EBD8912-BFAB-6156-9200-000000000002}45764804C:\Windows\Explorer.EXE{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.708{5EBD8912-BFAB-6156-9200-000000000002}45764804C:\Windows\Explorer.EXE{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001763030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.568{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=310FEADF3ABC0989853D8F930A59C8A9,SHA256=A0A486D56C0AD8DF6F684BF9096DA59213A7E36D50E4748D716ED4087A36BB85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.568{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=42F7AD7ACBDF3DA1DD944FA38AF5F28C,SHA256=781741BD7E7B8F1FC62056319BCBEB53CB0FD16E2F019CF709A8ABB155007C0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.568{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.536{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.536{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001763025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.224{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADE3BE2093C384911B3D2CF209E85840,SHA256=C09B7D1B48DC380B38ED15893E172051FC8FE0B7485CC2B64B0757C4DCDD7B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.224{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=525724CA7D5598CD09E000B2EF8A6D9D,SHA256=E55187AAC206ABD5DB4EC7F791A31DD18F695721319CDB61DE537D9EA08A7D79,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:20.050{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61793-false10.0.1.12-8000- 10341000x80000000000000001763022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.115{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-BFD8-6156-A000-000000000002}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.115{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.115{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.115{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-BFD8-6156-A000-000000000002}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.115{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.115{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.115{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-BFD8-6156-A000-000000000002}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:20.912{5EBD8912-BFD8-6156-A000-000000000002}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001763014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.036{5EBD8912-BFA9-6156-8100-000000000002}37161076C:\Windows\system32\csrss.exe{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.036{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.036{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.036{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.036{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.036{5EBD8912-BFAB-6156-9200-000000000002}45763040C:\Windows\Explorer.EXE{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80257|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+17c27c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+284683|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c520|C:\Windows\System32\SHELL32.dll+17999e|C:\Windows\System32\SHELL32.dll+736c1|C:\Windows\System32\SHELL32.dll+765a6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x80000000000000001763008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:20.955{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exe8.14Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\1.vbs"C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=8D93FF22077355875C7BC59CEBE98B4F,SHA256=A345288CDF2B0A43B64E0C3264FC2839A76C98835CAC1A1920D68E21DD444EB3,IMPHASH=D3A8B6DC8BC0179C654D96C4AD61A9D1{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000001763062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:22.833{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADE3BE2093C384911B3D2CF209E85840,SHA256=C09B7D1B48DC380B38ED15893E172051FC8FE0B7485CC2B64B0757C4DCDD7B7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:22.818{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-BFDA-6156-A300-000000000002}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:22.802{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:22.802{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:22.802{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:22.802{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:22.802{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-BFDA-6156-A300-000000000002}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:22.802{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-BFDA-6156-A300-000000000002}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:22.694{5EBD8912-BFDA-6156-A300-000000000002}4784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001763053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:22.177{5EBD8912-BFD9-6156-A200-000000000002}61206124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:22.099{5EBD8912-BFAB-6156-9200-000000000002}45764344C:\Windows\Explorer.EXE{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:22.099{5EBD8912-BFAB-6156-9200-000000000002}45764344C:\Windows\Explorer.EXE{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:22.099{5EBD8912-BFAB-6156-9200-000000000002}45764344C:\Windows\Explorer.EXE{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:22.099{5EBD8912-BFAB-6156-9200-000000000002}45764636C:\Windows\Explorer.EXE{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:22.099{5EBD8912-BFAB-6156-9200-000000000002}45764636C:\Windows\Explorer.EXE{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:22.083{5EBD8912-BFAB-6156-9200-000000000002}45764636C:\Windows\Explorer.EXE{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:22.083{5EBD8912-BFAB-6156-9200-000000000002}45764636C:\Windows\Explorer.EXE{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001669015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:22.649{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2FD747810381EEF83E3FAD969F41AC7E,SHA256=EC7268540D7F97EDA79A185F96AF6A94887C80815AD1C71ECE8FA4A619E27C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:22.030{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5863AE354B9E9FA2363BF5923CA766,SHA256=3DFE0C5BA27DE605009177E429C05E95065C5F049DC935DB13844A5A9840BE97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.004{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61794-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001763064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:21.004{5EBD8912-BF53-6156-2300-000000000002}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61794-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001763063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:23.099{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF016072B802435C125466BEE157EAF,SHA256=34E4A18591DF07FA1C78B1D3770D2C2DEB64D8680CE2FE09B760CEFA96BD445A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:21.477{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49749-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:23.037{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800B7EBD11A4F276C6DB9C8D465B4209,SHA256=E0A46F03CAFF0BF970DD5BA9F881A9E27A50E19269A3F1D74CC5E1D4A38B4A4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:24.708{5EBD8912-BFDC-6156-A400-000000000002}41724092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:24.506{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-BFDC-6156-A400-000000000002}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:24.506{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-BFDC-6156-A400-000000000002}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:24.506{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:24.506{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:24.506{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:24.506{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:24.506{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-BFDC-6156-A400-000000000002}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:24.334{5EBD8912-BFDC-6156-A400-000000000002}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:24.115{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF564A1639860CE6206A7F150908E6A3,SHA256=B31630B1B6E2ED67BBF962C083BB49422BC8281E4BB4095DDC9E0C77E983BEFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:24.029{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4DAE11B1B84A6F1F2EC4D78A1FB9CE4,SHA256=D2470760471287710E1472A715475667302139BDB14AF6E35DF2D9F6C3D0D1FE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001763088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:25.568{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exeC:\Temp\1.vbs2021-10-01 07:59:12.775 23542300x80000000000000001763087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:25.568{5EBD8912-BFD8-6156-A100-000000000002}6036ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\1.vbsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:25.380{5EBD8912-BFDD-6156-A500-000000000002}51725196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001763085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:25.380{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D532F9D83F2B14EEBE17A61143C45574,SHA256=D050D12DDC6E68C03BD964EAA19DDF17D5D7A9D095E860328DD3238976102B68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:25.224{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-BFDD-6156-A500-000000000002}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:25.224{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:25.224{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:25.224{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:25.224{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:25.224{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-BFDD-6156-A500-000000000002}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:25.224{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-BFDD-6156-A500-000000000002}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:25.225{5EBD8912-BFDD-6156-A500-000000000002}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:25.130{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B8911B740910FD6BE521B90B176FFC3,SHA256=BE2F377E38457206300BFCCBF95F280B35E44E73AC274552F4F1C8E93CCBD61F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:25.037{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3E5197BF56D2F540E1E167328977B85,SHA256=D8EBD913B0C5BAE36D2240A2A41D94D7991FFB0B761B4EA2C251FFA6871DAAB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:26.365{5EBD8912-BFDE-6156-A600-000000000002}21602128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:26.177{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-BFDE-6156-A600-000000000002}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:26.177{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-BFDE-6156-A600-000000000002}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:26.177{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:26.177{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:26.177{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:26.177{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:26.177{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-BFDE-6156-A600-000000000002}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:26.053{5EBD8912-BFDE-6156-A600-000000000002}2160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:26.161{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F83246014EF4A61168289160602C79,SHA256=267DEB5F119258E92251A2095DC7F9700CF2821A48F936970A0388D300256F02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:26.045{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC5A41CCCE03F367701C79CFECDABBB,SHA256=E149DD2B91FCB60E421CE621A940518CF405158A53EF63D06EB3F77C22699ED6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:27.911{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-BFDF-6156-A700-000000000002}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:27.911{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:27.911{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:27.911{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:27.911{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-BFDF-6156-A700-000000000002}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:27.911{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:27.911{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-BFDF-6156-A700-000000000002}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:27.772{5EBD8912-BFDF-6156-A700-000000000002}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001763101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:25.081{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61795-false10.0.1.12-8000- 23542300x80000000000000001763100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:27.177{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC20B6EBB21B8527362DA59712A7548E,SHA256=08413BF38C735B5AA69D3B4B9BD1098D9E5698CF0EB860024B15F938FD8BAC5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:27.054{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42B4E343A2C0403505C0ABA43FD6C78,SHA256=BFE161D1F816818FA3A7F4DD4EDB5ADF93F3EF065C6CCF8701267A16BCDE54A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:27.161{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC9B7B384DE97F853D879B1A9500644C,SHA256=2AB32759B343A1090D65E467A1A9E8839882AF62B57354A3E0C455E873880C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:28.063{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B8E71A180795452E659500ACF024DC,SHA256=60A0F872BB5C5E53E04DF2A8FE354665CA4055B8F06E446A78E977649718F13C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:28.833{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80EC001A4D3A623F991B20348FEBEEC2,SHA256=930F8529279AFCBB93D5D83FD77B97B58F522CCE5DDCF94EE98D12429B40CCAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:28.193{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22D79ABB15EA0A4FE83BD51CD042C74,SHA256=E25675D5C83C11B68ED8E92EE35DC67D3E67C232EB247156AF8F86473A56EC2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:27.430{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49750-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:29.073{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16363D917BA4BF4EBAF72B136F39B9E9,SHA256=D8415EE3D98CB5C69DD1DCD683DE6B7E7F2F559DD1518CF7CB179C53DCD1FF52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:29.224{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=146C56CFF758A9A9B035BAA064B19997,SHA256=4A05D14C7AAEA173D832E4C026E62EAA34DDCB7DAAA2CC1EDCF98B25244913AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:30.286{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0679627347BAC377E98A62A54188210A,SHA256=17BA5AC5AF1430366F11260D13D94E1C69FF5DD8FD19320B6A217763BB503C72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:30.083{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64CD36388B58E41675B4943626F890D,SHA256=CBCBD73149309A50D84134F776547AC3E697DD1BC892DEF67198FD4BF700A035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:31.333{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EBA6EE321DF5321C974D43CF4411291,SHA256=5AA3E770A363D18ADD8FA4E2E7D457222BFB8815E6BFBCF3098D0C5FDE7253C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:31.093{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D5382903AE9DB952B1C7EB276ED11E0,SHA256=06E3B9F177380D39AD99247AFD0ED79B04F6FAFE02174F1D3485758F03C5C6CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:32.349{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B9E607631EAF50E7388BAA59131BE7,SHA256=BD105FA9E3F846579C474C599884A52B0FD6DEE44CD6803AD19AA8C7A0B52C9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:32.104{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21AA2175C6DEDEF3FD8E71056210BEEB,SHA256=6DDFE207BA9E3690DB54E1EB234708F68DA1177EED97E6E50CFAE344A6C089B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:32.492{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49751-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:33.115{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61D4C0E1D66B1A669EE61E2A337BB98,SHA256=76970C927C212C489D42F1B8B226470F6D4475FF9CE82E61653E75A8805EBB54,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:31.097{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61796-false10.0.1.12-8000- 23542300x80000000000000001763116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:33.365{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6552A99BAD42B4C5CF438C91D3BF4A1,SHA256=0A00CB4E7A920B9A56D2EA11D898CE1A4538A73E232BE363975EAF55D32FF82C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:34.380{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B030D39BF64DFC03692DB39066C0AB,SHA256=BDC0AEF37A41EF3B127158FEF3DB756A03B6A411304BD91B514CC1E277D0A162,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:33.162{69CF5F33-BF40-6156-0F00-000000000002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse209.124.239.182ip-209-124-239-182.eatel.net60934-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001669032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:34.282{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE705F94779FE0652EA46005AE2C7B2B,SHA256=9147A88F60D318D034A03617346517B3F4B9A7E19507318C14449C03E3F990D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:34.282{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9EAB6BE579FFA6AAECEA452501BD224,SHA256=8E3607654BB870D8017186ED25527514A41A0A29D19A073A6EDE54757A93B0C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:34.111{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD761ACCEC729C9D2C331166F05D3B2F,SHA256=EC00B0F75FCBD457C1CAC9519C2E8A5F1C8CAF5DD33D9661535E7FE590B6B27C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:35.396{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9214A4BA9D26971E8388EA8B317768D5,SHA256=85495A0388542C230DB93B203DBD930E7D6289F9A5098F0E9342B15AD7569F87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:35.122{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89675477E3E00A72B55A1D0F16FA655,SHA256=15EE3021F738EE1FFEDD04166213C3018C8602D99D7497987E1759E5E3096C04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:36.911{5EBD8912-BF43-6156-1600-000000000002}12961364C:\Windows\system32\svchost.exe{5EBD8912-BFE8-6156-A800-000000000002}5280C:\Windows\SysWOW64\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:36.911{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-BFE8-6156-A800-000000000002}5280C:\Windows\SysWOW64\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:36.802{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFE8-6156-A800-000000000002}5280C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:36.661{5EBD8912-BFA9-6156-8100-000000000002}37161076C:\Windows\system32\csrss.exe{5EBD8912-BFE8-6156-A800-000000000002}5280C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:36.552{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:36.552{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:36.552{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:36.552{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:36.552{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-BFE8-6156-A800-000000000002}5280C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:36.552{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BFE8-6156-A800-000000000002}5280C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:36.562{5EBD8912-BFE8-6156-A800-000000000002}5280C:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8,IMPHASH=EC90A0D780E0DD23BA7910ABD6BF7E32{5EBD8912-BF43-6156-0C00-000000000002}844C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x80000000000000001763120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:36.411{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5583972A263C2C580A3E5E2709CC9B5,SHA256=D6B676E41B561689F215333B02F67797D567258E535573F1165348756228E054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:36.134{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5354C00A33053E68192128054E2E20,SHA256=8FA49A83A10417BCBEC78FC016F7D779F9F3FB3296B56DF6EE6E91EF8547716A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:37.146{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4505CF3B77B571BF829BB0106F2A26C8,SHA256=D58BC6B3AD278E59B7D53CBEA10F4376F7E5AEAA0AD650985E3755248E0422BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:37.724{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE3F630E4ACEF29B768110172CE59CF3,SHA256=4DC7E08D9B8C5782CCF477AE871C117932BE301DFC88536AF1FA6AAF1D529F63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:37.724{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B99065D2CAA6FE103F97D0B1A160D46A,SHA256=C46A2758649D2D8F8D918AB868743A8F7F9E880E44F9D2A04B79900DA3A3F3D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:37.427{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A609CF017B8A32A5646219ADEFE7ECA7,SHA256=9D2163C6C7F17C746E3DFB5CDDB7D1B5D1E55FBF4536E6B7A6F1C5FE41C89FCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:38.443{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=675E2A14621226971D00488BB0E02359,SHA256=FA8214ECF95F819823C4DA178FD3F91F3FE35714EF7EACB6BD7FFCADA896F7CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:38.158{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FDEE73B6D79045870A1AB62A84AB756,SHA256=CB50B72FF64B1EE3CB768D63A91549110B6CF61E58AEE37E93CCBEC617FACF35,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:37.113{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61797-false10.0.1.12-8000- 23542300x80000000000000001763136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:39.458{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04ACA0CE09A10D34FB080D80F709418E,SHA256=B0FA7E5DEA4A298C00D28E701BD8270409EE7C99D2743A102488C4D3268756A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:38.523{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49752-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:39.170{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A8B79E1F44B3824FD6CB8EA975F835,SHA256=4C476732759453C6EB31E71FFCA3A6BD7C99AB5D9BC961957AF34274AFD79FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:40.474{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1FF5DD44484D8FD62F326509742150,SHA256=C19CDCF444E7ACC41EF4B0889F3805A68B139826E3D8E816D9F187D7B359F978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:40.183{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C5DD9A563D240F81F15B673176B002,SHA256=9A21471369504126D21D8B7214ACEB33221A37E34259DAB87A35C201BCEA30FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:41.320{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED9EAD680023972CFB2DD0E50EE988E,SHA256=B28D4FC5D3D5578DE0881EB5270D996B2BE9D0E87FA4351086870D788FFEBF07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:41.490{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49492ADA52FE0500012BE0DC628439CF,SHA256=186D187F31D467DA88534AD5BAD43422DC4053B0863756F9F51567C69C973DA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:42.536{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26AD7B58434F40433090817516217884,SHA256=CA318612F9F2C93A182E2A93D7F66C7A5D0CC03C8146774E8CBAC4AA480A0B67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:42.521{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=96D1BE2CAEEAB8519AC33FAEEB077CBA,SHA256=DFD1036E2C61AE5512EE2D692B607249C64FDEDCFC8407BE0ED2E8682BF57FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:42.521{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=96D1BE2CAEEAB8519AC33FAEEB077CBA,SHA256=DFD1036E2C61AE5512EE2D692B607249C64FDEDCFC8407BE0ED2E8682BF57FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:42.521{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=93337FD73FEE5B100F7B692BEA58C0B2,SHA256=BE2F12FEAA1FF09545E467E9D1D4359FC6C087C84C8E62960F5F65D6AEBFE496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:42.505{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D062765B8CC207DC6D11D164B3965766,SHA256=0C620A0CCBB4CBD8B9BB7C897D7A74E28FA112502659CFF379CD6F57FF795C58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:42.458{5EBD8912-BF41-6156-0B00-000000000002}636676C:\Windows\system32\lsass.exe{5EBD8912-BFCF-6156-9F00-000000000002}5672C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cca|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:42.458{5EBD8912-BF41-6156-0B00-000000000002}636676C:\Windows\system32\lsass.exe{5EBD8912-BFCF-6156-9F00-000000000002}5672C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001763140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:42.255{5EBD8912-BFCF-6156-9F00-000000000002}5672NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\cache\cache.datMD5=2A5932EC41D1F65076E8A10935626934,SHA256=AA81E3397641DAD3E5B48CB7C3E8EDB15DBF13309288918831AECE2DC6EAA6F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:43.705{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9778EFB7A73A9640580930558734A5A,SHA256=5AD18F4FDE84CFB4615FD6FD604D7E0E54B76F63909AC9CADBE443E6E242035C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:43.505{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EA10129DD11E6379E70241551F13D137,SHA256=26774C6F4D6AE7CE9645FA508A2AD281BC02E8D32249FD19634792A85C5B2996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:43.505{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB2F9201AED1937DB77626236225DA8,SHA256=0B9AB0ADE6BE2345E7DC0268F60F0A162DEDC3D297BF398DA0BA707A7E320F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:43.505{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=310FEADF3ABC0989853D8F930A59C8A9,SHA256=A0A486D56C0AD8DF6F684BF9096DA59213A7E36D50E4748D716ED4087A36BB85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:44.796{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9F6CEDCE5650B45548D65286E9F2CC,SHA256=C4AAB2239B16CED1E7763155B0DBC40710634C7F4750F9F122D19202BB133667,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:43.098{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61798-false10.0.1.12-8000- 23542300x80000000000000001763150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:44.552{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBBD997ACBD5EF31650D00EF53433977,SHA256=B90DAF69028E1B3C222CF3CCD5D47EDCC65561D58C3F2C7D36F3BE97DA6563B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:45.568{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F861CDA206EFBE4ED361C2102416FCC8,SHA256=06EFBE5ED540391C739D85D25976CE42CF6645C8708F41E9F6B59A157B624C40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:46.583{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45AB4E184E11A7A6BFC19C6115713F5A,SHA256=8B52DA51FEC48C3BC1FBA5A78BCCE5290CBB54441314E6336A762D2E3B40F976,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001669047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 07:59:46.964{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69a-0x4d59649b) 354300x80000000000000001669046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:44.586{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49753-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:46.012{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DB383C21EA613CE713A1579E0526D9,SHA256=C1AD6BFD199C1337E5B63556361E4CF7B4BDD26C85DDF25FADC31D25B7AC594B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:47.614{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB722FC4ADC3FFBFB3FC67FE04EE503F,SHA256=1BAEF06B62D111A31E4DC4A1221159D972DEC22E0544097EFCE17082BB444EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:47.244{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9156671AD32970B85AEEA59A4E99EDAE,SHA256=185F1D6A9D980785B7C2BCF84F566D1DA2F99BBDE91E290E57092D5FD898E79A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:48.661{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14256AE1F116387E349D5796C1EAFBD2,SHA256=3181DAABB66F7572F429D8006283647E4450E8E7A9F257B902EC496DB85DDCD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:48.274{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEE1F93D612C31744251F8E7154FC363,SHA256=9CA532DB94F0BDE3BC0A876499CEFC2A64F82DC2ECB5B21AF34AB5B825009535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:48.242{69CF5F33-BF40-6156-1100-000000000002}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0F73E7E1AD2D12DC5F48D84515506E1C,SHA256=22394CF2ED79028D77CF8F46AAE93C43975120A37DDA1269AD2A99159C5E2103,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:49.677{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D21D121CB94D09B7AE1F5986745ABF,SHA256=C48DB73B00281305972B5A51BF6745C1957D4B9226CBC5C590B8C2C04F0F7FE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:49.287{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4641BD7816FB6C0C955481F1A82E097D,SHA256=42A92F9DABC8CF34CE5FA1E2CB6E6CC80BF2821100623C8F32EE64AC38A1F1BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:49.241{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-BFF5-6156-8400-000000000002}1068C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:49.241{69CF5F33-BF40-6156-1600-000000000002}12041344C:\Windows\system32\svchost.exe{69CF5F33-BFF5-6156-8400-000000000002}1068C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e0a4|c:\windows\system32\UBPM.dll+11662|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:49.241{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:49.241{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001763159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:50.833{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B68EBA7BF52072804A5BE9DA78EED42D,SHA256=5FA41780D97D9B2D213B416144E9EE41E05421AAEA2BDEBAD4BE278703102194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:50.833{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE3F630E4ACEF29B768110172CE59CF3,SHA256=4DC7E08D9B8C5782CCF477AE871C117932BE301DFC88536AF1FA6AAF1D529F63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:50.693{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E517B5FA12D79EE9A7C5BBEAEE3BA32E,SHA256=0F74373DD1FC8A5EBB6B6B14879536D08C7C41D8CAFE76A4D8D822256E5C7FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:50.301{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04BA07F1FA171CC4B6041A71EE16721D,SHA256=3E2D522782C83D4DF2B7EEEC4A011CFF0EA9B209CE72D31A8898A1D5673A5029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:50.301{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE705F94779FE0652EA46005AE2C7B2B,SHA256=9147A88F60D318D034A03617346517B3F4B9A7E19507318C14449C03E3F990D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:50.301{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC9E502F495E6370003C5D5CD063A22,SHA256=27CD5F3C5BEFCF1281EFE89CF80DDCF4AFC4D07BC4E69B3C0B5CD36AD4AFEFD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:51.896{5EBD8912-BF43-6156-1200-000000000002}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=834A1B48FAD3BE73920488B476F31A8D,SHA256=A16E8C6BA43DC30F0B2475D12F14DF64B4ABD4FCC722D2F25F4F56CCA37FB9C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:51.708{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300A861558A3F501B1C86CBD12305DB8,SHA256=7756A11B1A29CCE928E59B581B261086CA649852F7F38800648B951D53CABBC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:50.523{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49754-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:51.315{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1518222F23ED5F5DB847C2B7C611C577,SHA256=7F02B74D42FC430B71BA3381C14AD5B23E697911054C63E132D752ADDA83EA3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:49.757{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.89.190.250-60682-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001763160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:49.144{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61799-false10.0.1.12-8000- 10341000x80000000000000001763169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:52.896{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-BFF8-6156-A900-000000000002}5664C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:52.896{5EBD8912-BF43-6156-1600-000000000002}12961364C:\Windows\system32\svchost.exe{5EBD8912-BFF8-6156-A900-000000000002}5664C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e0a4|c:\windows\system32\UBPM.dll+11662|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001763167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:52.896{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B68EBA7BF52072804A5BE9DA78EED42D,SHA256=5FA41780D97D9B2D213B416144E9EE41E05421AAEA2BDEBAD4BE278703102194,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:52.896{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:52.896{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001763164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:52.724{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439F0E74D55CB3EECAF853D2CB9344B3,SHA256=8A8D6635A77FF561B21647E288BF9148F6A135F2CD78DD481068E180A7E83596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:52.329{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EDE6AA165A518407AC79A123884CF18,SHA256=B00292E538C363AE5D61C5C54224C692035FD0012AD9C0E9F2FA07D465A11694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:52.298{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2C4F718FC206935BBC02DC4A6E5EBE2A,SHA256=04A8D2B796FF2C49DAA2DCA9B496DD9D554609DF22DCAA8FAAA536B54596DE64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:52.298{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3C0619802D7B0EE0C9EA261833EDFE91,SHA256=5799CD47AC51BAAE16CF9E988FBFA89790D4C6BB7CBD53824D1D1F752C1727D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:53.911{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F68E2BA18C584A8DE36ADA9E9996F506,SHA256=3B157D293BEBD2FE2FD4F56FDD1C715EDE7BA18DB928AED9CB85E8772143FCE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:53.739{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533A18D1C5CD6F6EC9C60845DC652793,SHA256=139DECB5891F228BD0089338F12A8089AFD0B05B3F6B2BCF211EA21CE8D9498B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:53.846{69CF5F33-BF40-6156-1C00-000000000002}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20211001075651-002MD5=E2350FF87285264FC2F693171FD6908F,SHA256=DD0C2B6A4BAA6FC008B19D4F8AE41D7B35D93255AA75D9D1AFF144D5A1F933A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:53.345{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2ED484F2818BD9D2510339BA4138606,SHA256=271FD54F9DC8A389A655EF829618F11EF870754BB5816E4DF3A24F49AA6E43E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:51.128{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local60678- 354300x80000000000000001763170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:50.749{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local61800-false8.248.139.254-80http 23542300x80000000000000001763175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:54.818{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013BD167B774B90D7C2ACB5DB4E8C7F3,SHA256=1DD2DF4B804AD9D47A2BF3AA2E8E8B01F05DB022F7E68CD0DCB73C8ACB9E39EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:54.858{69CF5F33-BF40-6156-1C00-000000000002}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20211001075649-003MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:54.577{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5E510006F62169E7DE1BF7FFA1CB6E,SHA256=0509855EB0D6C0AE43C8A4CC592793D1A7FEFFB7D7AC1B37A16D7D63D40B8F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:54.552{5EBD8912-BF53-6156-2C00-000000000002}3016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:55.685{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C7B181DB475384F7BF9DA857D38A04,SHA256=451DB507FBA834999492F860EC6AAE27C8CE45EE98ADA70109CA48C314C66250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:55.911{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6AB09A16707D2BC9A6239FDF5775CB73,SHA256=AA3C62C2412BA758EB15199DBD8911463B1195801259768B88804EF6531AB212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:55.911{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EA10129DD11E6379E70241551F13D137,SHA256=26774C6F4D6AE7CE9645FA508A2AD281BC02E8D32249FD19634792A85C5B2996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:55.818{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CEC5921BB724687E33238AA382ED29E,SHA256=73C91C000B2847CCD37EA6FD1D10A126148BD096166DDF851BF6BD3BE861DA14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:56.902{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52CD366628A42962857ED821F4A6A8F6,SHA256=298D7CE0E47C1BA7CA06BA018AA5731213C67FC32E15CF64E8C9C29B13D4A963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:56.911{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC4104333439F1D812A050454A099BA3,SHA256=58890A4965E5222AC7BA38095B4A8EC1A3100184DEF56CC6CCA00D6427A98AA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:55.537{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49755-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001763180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:55.144{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61802-false10.0.1.12-8000- 354300x80000000000000001763179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:54.536{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61801-false10.0.1.12-8089- 23542300x80000000000000001763182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:57.989{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24FDD2CD99053036A61E2D722DECA641,SHA256=AF993D5B267A56AE235B20A84B544191969631CCF1F18867ED61224AB7E5518F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:57.807{69CF5F33-BF40-6156-1A00-000000000002}1872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:58.104{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE3FA18D5C5AC7C4AC723E72BE35968,SHA256=C560273D4B431BF8639788CA9071D66313ADF061674427FE24F1D8A2FE5D2107,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:58.164{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49756-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001669073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 07:59:59.337{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F83255CECDE3DEF42A4F83373384943A,SHA256=8E00CCC58EFC80E346AC01E31643DE9F076CD7C5E60EADFFE5F26DCC10022635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 07:59:59.052{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4F990B57056F646CC2F18ACABEF06B,SHA256=E5FA4066109AAE5CB6306BC78CC51FCAE911DCCFEAF092BA0FEF493C4EC7E394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:00.067{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7ADAF0CE0DB855D754A24AECA3CB3BD,SHA256=25673C10990C26683BA07F8C996F1855138B0DF376AD4A44C3EBC48964D3F1DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.898{69CF5F33-C000-6156-8600-000000000002}16601020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.711{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C000-6156-8600-000000000002}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.711{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.711{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.711{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.711{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.711{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.711{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.711{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.711{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.711{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.711{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C000-6156-8600-000000000002}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.711{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C000-6156-8600-000000000002}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.711{69CF5F33-C000-6156-8600-000000000002}1660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001669088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.399{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BC2B5A6B87EC341B3757D52F2D1C9B,SHA256=8022B3EB308675C4365BE918F36918BDF5A169E940EA2143D2E729A44C6D02BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.040{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C000-6156-8500-000000000002}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.040{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.040{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.040{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.040{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.040{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.040{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.040{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.040{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.040{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.040{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C000-6156-8500-000000000002}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.040{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C000-6156-8500-000000000002}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.040{69CF5F33-C000-6156-8500-000000000002}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001763186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:00.190{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61803-false10.0.1.12-8000- 23542300x80000000000000001763185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:01.099{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256E0D4D342E6804BC8FEF2AD82F2F60,SHA256=F489EE4630E4E8B07D65E04C04D27C31794FF81F8FEBC3ACA038A9FA33D4E445,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:00.572{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49757-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001669118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:01.710{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C001-6156-8700-000000000002}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:01.710{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:01.710{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:01.710{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:01.710{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:01.710{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:01.710{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:01.710{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:01.710{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:01.710{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:01.710{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C001-6156-8700-000000000002}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:01.710{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C001-6156-8700-000000000002}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:01.710{69CF5F33-C001-6156-8700-000000000002}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001669105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:01.429{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFDCA97569EF247AC5D89FB69F07BB5F,SHA256=097EFF702C4B448605428D2824FB9F659BC731BDC2BC28D7BCF5B4E07E65C0DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:01.273{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D33A4952A2452389357DC050C860D796,SHA256=563B6FD82B3F816C4F43EE34A984EF5458334955A7A593BF8CC9D05CF0AD5AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:01.273{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04BA07F1FA171CC4B6041A71EE16721D,SHA256=3E2D522782C83D4DF2B7EEEC4A011CFF0EA9B209CE72D31A8898A1D5673A5029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:02.849{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D33A4952A2452389357DC050C860D796,SHA256=563B6FD82B3F816C4F43EE34A984EF5458334955A7A593BF8CC9D05CF0AD5AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:02.443{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C89DD0C36079C79339E61CB463E1875,SHA256=9E254E9DD8BB5BDF1668D2FB16C69C16B4F5AEF1CF8EE1549AFD4BF7EF63B915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:02.146{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D222AAD3C19EBB14C64B2B180A2BD0A,SHA256=A587525B97E81BC8B972F4BC8408F50EFD474CEF0E26DE3A1A68F77F0F7140A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:03.521{69CF5F33-C003-6156-8800-000000000002}29002852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001669135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:03.458{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=395986F3535E4B9F06DD8CA66F2A25AB,SHA256=901159CBC2DA25F6711DBC03359BE024F1DE02E24F254987D95DE9C21AB7DAB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:03.161{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B315514C28773A50D6BB82AB2CBC9810,SHA256=88CEC05BD0F66535609029AD6B8546211AE62AA006C8948AD7DA087D7069D1F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:03.380{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C003-6156-8800-000000000002}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:03.380{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:03.380{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:03.380{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:03.380{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:03.380{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:03.380{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:03.380{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:03.380{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:03.380{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:03.380{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C003-6156-8800-000000000002}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:03.380{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C003-6156-8800-000000000002}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:03.381{69CF5F33-C003-6156-8800-000000000002}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000001669153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:00:04.692{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69a-0x57ea77d5) 23542300x80000000000000001669152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:04.473{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B53AB520745611B491BCAEE2F426B44,SHA256=CD236B61388C04132999D68ED5939C668B3DC6A49837646F7E4F17EA96A635EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:04.473{69CF5F33-C004-6156-8900-000000000002}24241704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001763189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:04.192{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A51AE6526A747E42D5747C31D64915,SHA256=F9B900EAE0C7FB044A2DC2C03F617B6E153D8D80C0BD1F1E60DB26D8B41F9B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:04.395{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45BF961C112D5D2BDF88E99B3F0A5E9E,SHA256=3E92463AA2B984BE271872A32B20125FCBA5410B3809ED3E061868D6F4B1EF31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:04.333{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C004-6156-8900-000000000002}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:04.333{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:04.333{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:04.333{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:04.333{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:04.333{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:04.333{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:04.333{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:04.333{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:04.333{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:04.333{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C004-6156-8900-000000000002}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:04.333{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C004-6156-8900-000000000002}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:04.333{69CF5F33-C004-6156-8900-000000000002}2424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:05.208{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC6B9B87606F63335CA739597DD58DD,SHA256=EB1FA22BB11EDE59EB61996137E0BE19E3F5B89F0DFD90693DEFBF3EAB5A3DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:05.472{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D078B26F4B2F0CA155A63137CD9261F,SHA256=E91C090EA1F083B6A9A901C5B96EFEE7D12E94BE10435F41DFB0ADAC0DD68F82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:05.144{69CF5F33-C005-6156-8A00-000000000002}36043276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:05.004{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C005-6156-8A00-000000000002}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:05.004{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:05.004{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:05.004{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:05.004{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:05.004{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:05.004{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:05.004{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:05.004{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:05.004{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:05.004{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C005-6156-8A00-000000000002}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:05.004{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C005-6156-8A00-000000000002}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:05.004{69CF5F33-C005-6156-8A00-000000000002}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:06.286{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D193260E2F3C527410FC5BF73F825052,SHA256=2E9A364C59AC69A6D6817EA1FE2F6D484B25325090F627B2FFBADF035DD75B38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:06.565{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C006-6156-8B00-000000000002}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:06.565{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:06.565{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:06.565{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:06.565{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:06.565{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:06.565{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:06.565{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:06.565{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:06.565{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:06.565{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C006-6156-8B00-000000000002}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:06.565{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C006-6156-8B00-000000000002}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:06.566{69CF5F33-C006-6156-8B00-000000000002}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001669170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:06.487{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA184334DCB87DCF0DDCFE022C722DBC,SHA256=1DEBD4FC5035B25B99CE3B0642ED1381454BF9E3F509984997EF76638CF328DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:06.144{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=398692AAD6DB6247D37D172A3067571F,SHA256=9141F40E2BD8AEC4BB53E8E8D6D638AABD7353E8506A625A66A903E888D58897,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:07.611{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD76A7E949FA6506491E5BCD1774F000,SHA256=C1DFA1A3622DB2740AF0248466D6EA6FF144678C6DC3F3EF6F58171CECBA6B45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:07.502{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2606F7D70F4FE2133BBF6AB440D94CE3,SHA256=E962A5D9CA27EBDBD234A16FA8EA1CD6AA97864B39FDD2D91D8BA12554328103,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:06.128{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61804-false10.0.1.12-8000- 23542300x80000000000000001763192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:07.333{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07D48A941FEC70FD8FC165B665364E3,SHA256=44D972D74D1688D75EA10D6D65068D6668E452808A6FFDBF2DBA486B018769F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:08.517{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8705793D4115A873CDD39CA333BC50,SHA256=E71E7AE3C7BF10FD03507385678322A1CCEFA3DE6590027DB9CFC8DF39458260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:08.349{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1A8C636E422FE989FCD38BF85CD16A,SHA256=96FEC2657AA9EE51C5BE490386E083B378E29875A1AE8392D83D0C367D11D4BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:06.492{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49758-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001763195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:09.442{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A325824E9D00655F2EA902FBA4CFCAE,SHA256=EA1A239D3DA385AC87AF0E7B792ED3FE00C100D2C870190C89A330A648A7BE98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:09.532{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C437FD300E3BCE8684D5AF34B63837,SHA256=404DE8A7CA422AB11D38B596600191A4F919DF9EF1DC0CD3B667667A119E3072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:10.458{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=176706BE50BDEEA93D63B7B3DA191340,SHA256=3466CA1BAAD068B96C3F63C45BD0323545513F221A37A5A1196E846372E2AF8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:10.547{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB2362E8B79718306B99EACF3EE1070,SHA256=6B5459858D15C5D2A36B5AE971ED5F9D0689901D57942457FB38A638B5B561C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:10.333{5EBD8912-BFAA-6156-8800-000000000002}10163496C:\Windows\System32\RuntimeBroker.exe{5EBD8912-BFAB-6156-8A00-000000000002}916C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001763198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:10.333{5EBD8912-BFAA-6156-8800-000000000002}10163496C:\Windows\System32\RuntimeBroker.exe{5EBD8912-BFAB-6156-8A00-000000000002}916C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001763197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:10.317{5EBD8912-BFAA-6156-8800-000000000002}10163420C:\Windows\System32\RuntimeBroker.exe{5EBD8912-BFAB-6156-8A00-000000000002}916C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001763196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:10.317{5EBD8912-BFAA-6156-8800-000000000002}10163420C:\Windows\System32\RuntimeBroker.exe{5EBD8912-BFAB-6156-8A00-000000000002}916C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x80000000000000001669190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:11.562{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8451FB1809C0FDE5FC1566FA992FF8,SHA256=C38CFBD5D62233EE75EA7C247D6854CCB3F09DBB259014F8CB82371AF8FB7564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:11.474{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C666358A0F0A50239BEFCF7DC9B60AA3,SHA256=2B73A99E3ACC52FCE9FBF648170B4F592095D8F87E62C69E4EDF359DA35CDC41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:12.577{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6966B861FD1BF5E19A2B418251324F3E,SHA256=4661520F48F03AA9BBA1FD8EA014D27371A4284D39E8C0C8E701DB5F52E71EDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:12.505{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E1F53B26E496AE5626886FF6762E9AF,SHA256=730A2134F17007E64C32DD58B442A5162FCD7C094965C4ED58A43570D4511856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:13.507{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F0EB9C9D55A5352FAA7B5214B66ABC8,SHA256=250CB0AD8D097CD31D2B9F9958F2A21F173174ADBCFB4680288670EA9D0FB773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:13.592{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D525679C6FA22F6AD0F98D5B56C23BD,SHA256=1D80FC2FC67BAB4B164F6129D9ABDEBD085E89F62231A17AB3A25D3FBCB47D7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:12.539{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49759-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001763203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:13.291{5EBD8912-BF53-6156-2600-000000000002}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20211001075710-002MD5=E961008872A85D9E7B2EDCDB9076BE5A,SHA256=4C7B4263F3F8553ACCFCCC53A0FA56737D447810FFCB4A43A3BA8D688A9FDFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:14.522{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDEEF83E8CD1B97E9D7597897B33945B,SHA256=9C3B7CB5A416C019CE0D2DA8CE66EC2503C552F4ED7F2C9827678590D703B0EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:14.607{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E947F0C78F7E56E701561703281E196D,SHA256=C9BD70B2836FB246F9FD9CDB1D3F07A3590F700598DF2885E984F4D4D5928FC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:12.097{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61805-false10.0.1.12-8000- 23542300x80000000000000001763205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:14.290{5EBD8912-BF53-6156-2600-000000000002}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20211001075708-003MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:15.525{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4439A2FA4F8DD5EC32538BE9D34C9CDD,SHA256=2BD34E248F190D0A93B8B4D5F3638F6538FB923BCA050526099A31E83436AB2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:15.622{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF9A9BF205D968612150D00F97CFB75,SHA256=A62F0D6CA8E8386858E134CD1B379F9DA4918E287424B707FAB9C8044131D27C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:16.637{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A4D31F8061A87731A9478D8A4B15A57,SHA256=0E989BC959E26FB51F6487DFBBCA26AE23A034A9A297EDC3EB35145943D496BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:16.587{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FCC0077E110777BA1E8774522D80DB7,SHA256=3D0677C55C720B90D0EFECB170B900E35AC8B2769FD39D53D9A15A4ED0C34FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:17.618{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A80313A03AED939DD86A24F0D56640E,SHA256=DC41DD884428982F9689D00FF09241F26973D3F2E1295B63ECA145FC2541D472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:17.652{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F77C45767730BA6A39BDD0893EC5607,SHA256=A1B5EF72CA158AB107EF0EF951FDEB2C90D68F48FC0C0590B121BBDDC74D8C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:18.650{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C64D0A73527B2222A7C6FB276AA7C13,SHA256=F60FEFDC541E69330C8549B8CB75BC8CED47EEE68A6C0B0DA98AAA24CC616F76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:18.652{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16FCF1CB52DF7AB44BCA8D1025CED468,SHA256=6E269F06F5F2F2B6DC826E7FA6823BF57BE2F1475852CE5C69D90B564D0CAB53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:19.759{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7335961A83671290EA3ECFA1E2511E51,SHA256=F637D4073EFF18D1AD03FADC85C313027E7848CCBE60D1510B9FE39DACF00C6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:18.523{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49760-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:19.667{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D10D3E933AA26615BBA1DDC476B57D,SHA256=DADC2A33C3AAAB2E777F5AB81F7F802FC2785826F5E2FE11E25064D7C1127859,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:17.257{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61806-false10.0.1.12-8000- 10341000x80000000000000001763222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:20.931{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C014-6156-AA00-000000000002}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:20.931{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:20.931{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:20.931{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:20.931{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:20.931{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C014-6156-AA00-000000000002}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:20.931{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C014-6156-AA00-000000000002}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:20.932{5EBD8912-C014-6156-AA00-000000000002}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:20.806{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DDDDE239445C448974FF23F986B33EC,SHA256=04F36A52E6E318FA59BBC59F15924B54E9A6BC1467B1922E6A8721D3902D98F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:20.682{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82DD7566AA71872BC7CC7B9988087AAA,SHA256=35A6813D2197F8656CDBAAF476117029D8414DC1E4AB9B08A0849058948E37A9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001669201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:00:20.682{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69a-0x61726ace) 23542300x80000000000000001669203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:21.697{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC0F7E614C47C65686F735A6EAAAAFC1,SHA256=7E1DB8AE288684B898B2C035F0B9C91326818DF0A955B958BF64AC6423C5F203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:21.978{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BD9DB6E2C5C0D05D8CBED333398A8F8,SHA256=61C8E80879B1A13142CD59DEE0F97C4015584561F763E56185D6CAC14BB6BAB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:21.962{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4FF0B4B969D6A12F7F472AA63D58FC2,SHA256=45EE34AD28892FCE28E20E1B32D61A4FF23268EC8B232F3F7EF1A33C544F384C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:21.837{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C87A41C839726AC2A3535AB7E25696A9,SHA256=DA4C86CE071A1AF393EECB50734530426E431B10B6F99D9443A7F85209FF0623,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:21.806{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C015-6156-AB00-000000000002}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:21.806{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:21.806{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:21.806{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:21.806{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:21.806{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C015-6156-AB00-000000000002}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:21.806{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C015-6156-AB00-000000000002}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:21.807{5EBD8912-C015-6156-AB00-000000000002}4960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001669204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:22.915{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB1641DFA61891D6C215B446E462060,SHA256=CED1C216D12D28164AFA429DFA8C69C0D5D142CFC2C7D3C50E2C53793849A455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:22.837{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8688309912DF691AF29CDDF8F4F37289,SHA256=6FC82ED32BF72A257E5D5D53FF4F9B85CD748AF22058506D08FE9C560115B06F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:22.697{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C016-6156-AC00-000000000002}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:22.697{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:22.697{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:22.697{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:22.697{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:22.697{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C016-6156-AC00-000000000002}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:22.697{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C016-6156-AC00-000000000002}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:22.697{5EBD8912-C016-6156-AC00-000000000002}5028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001763236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:21.008{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61807-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001763235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:21.008{5EBD8912-BF53-6156-2300-000000000002}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61807-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 10341000x80000000000000001763234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:21.993{5EBD8912-C015-6156-AB00-000000000002}49604008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001763247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:23.868{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D2E826C1B4289E229E416891A041B0,SHA256=F22F5F7606AE80DADEE1B14309DA3F1FFD415E084DE5410B8084DEE2A65080C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:23.946{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F22C82026A31B3E345FDCC4FD1D0EB7,SHA256=8893A256D723196B784E3975A789ECC2AE85B9E0EC5754D98EFF67066D966F9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:23.728{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BD9DB6E2C5C0D05D8CBED333398A8F8,SHA256=61C8E80879B1A13142CD59DEE0F97C4015584561F763E56185D6CAC14BB6BAB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:24.947{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24F2E86845AF396ACB20798942A29C8,SHA256=5AD7D62C8CAFC8DC8056A46A369DCCD3CDF44157ABB2B4F2A78237ED7625CBD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:24.525{5EBD8912-C018-6156-AD00-000000000002}47445200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001763256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:24.462{5EBD8912-BF41-6156-0B00-000000000002}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.datMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 10341000x80000000000000001763255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:24.337{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C018-6156-AD00-000000000002}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:24.337{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:24.337{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:24.337{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:24.337{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:24.337{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C018-6156-AD00-000000000002}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:24.337{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C018-6156-AD00-000000000002}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:24.338{5EBD8912-C018-6156-AD00-000000000002}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001763277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:25.993{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:25.993{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:25.993{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:25.993{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:25.993{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C019-6156-AF00-000000000002}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:25.993{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C019-6156-AF00-000000000002}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:25.996{5EBD8912-C019-6156-AF00-000000000002}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:25.962{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57F59858B49545EE163AF2B333525F26,SHA256=07F81999CEFD2E32021871A8B3EE4BD19A044D90D44BBCC16BD9C6038188AC24,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:23.585{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49761-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:25.008{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A7180130319DAB13C65503D2B964B4F,SHA256=1D3FFCD5460BDBE18FE57D226CF4C221C79B9B629B59A1DCC4CC3DD9BAF95DC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:23.023{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61808-false10.0.1.12-8000- 23542300x80000000000000001763268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:25.337{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4D1BBDC6E607EF27293087FE6A99180,SHA256=4198DC5BE319A3AB41F99717503A6AE4657588E51AD3B7AFD37AEFCD629B5E7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:25.322{5EBD8912-C019-6156-AE00-000000000002}33162652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:25.150{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C019-6156-AE00-000000000002}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:25.150{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:25.150{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:25.150{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:25.150{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:25.150{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C019-6156-AE00-000000000002}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:25.150{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C019-6156-AE00-000000000002}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:25.151{5EBD8912-C019-6156-AE00-000000000002}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:26.978{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8E4F7FA8B5E63F9730D64DE7355D801,SHA256=633F4943DE145BF1C7997CAFC43C496E735CE73325EEA1866CA5727AE331E500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:26.242{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF8102C28F890354B564BBA036BC3B1,SHA256=C7F1707C588FA9B384A57407CFC94318D406864BA7C82A5F4746B58053E61773,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:26.197{5EBD8912-C019-6156-AF00-000000000002}35681080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:25.993{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C019-6156-AF00-000000000002}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001669209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:27.304{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2483BA85290F5FFA0B3BEF69FEFE4E,SHA256=0FD7AC417BB2A5BAAC5212CFD586121A5450D70135F3C641E822E07FB7104146,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:27.775{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C01B-6156-B000-000000000002}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:27.775{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:27.775{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:27.775{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:27.775{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:27.775{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C01B-6156-B000-000000000002}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:27.775{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C01B-6156-B000-000000000002}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:27.775{5EBD8912-C01B-6156-B000-000000000002}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:27.056{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEE3D5C0811137AEC7AADA990B41597F,SHA256=BFAC3394A86E0E090B1BB484C9AFF8F5EFC16E0F822725B182C38835CAD47A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:28.382{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A5D06F922EABFD7A6A4C4DD1A9AB61,SHA256=FC08E94F0D169712EED3507844AE5A3A8F754C597CB50292E88B02396B69545B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:28.790{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1881E402A99FE87D63D2422CF28EFEAC,SHA256=029F9869D981A85595053CEEE4E45307B140AA6175D80EE0763690DCBA4AA580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:27.993{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54DD2FBE5D7FB1D8A57BA3EE2CF9E590,SHA256=EE1B2AF6453257ABFCE8913468473883D7C087EC302755E5A68A4BC8FD20B352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:29.600{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB230E67DCA74EA87EF5852D11E62F6,SHA256=3760AA755350796AC8C471D673E2118256A0516F86D14E40A90809D1ADEEA693,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:28.226{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61809-false10.0.1.12-8000- 23542300x80000000000000001763292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:29.056{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596423E1C48D6AB9E68F8EFEFD7D4A8C,SHA256=00FC91312722F0BC15DAA8B143D8AD772359B2A0F36EF0B262623BB69C46D9BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:30.819{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662C5BD9BAB52C50515EFA32AAD2B345,SHA256=3C8E508A872D68DCF4B3A4B382E314AAC0C0FF166AB10E39F4A6247806ABF43B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:30.181{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E24DBED5A3B2EF3CE463094801508B98,SHA256=86B421200FE3742601EA798DD84DB8E4B6E249BE0FF8AABC1F285F1D223AE87F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:31.834{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9EA7550BAB03939AA8504C3891C803,SHA256=E0F591A0F3DF45F54952847B8DAECCE0299BB4D1BADAFD4D923AC5F48F9B2DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:31.197{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5288C83FF4D8203CF2265938C98A30E,SHA256=D99B4F2726C055A361AFAAC3E4141036F68A0C43638B5D08E3D292B7AC4D669B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:29.648{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49762-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:32.849{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1603F11E41DA6674F8FCDB3946A3D0CD,SHA256=A9CF800D4E9C36E1921E3CC53D9E31073DF13197C3CB2B06F8506FC682ACD6B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:32.212{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716E0CE10315D8F2642E5797CB546EEB,SHA256=7BE3650BDE0E0CAF07A2A068A7F2B44B16D1C060A826DD106AA688D2B883D530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:33.864{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E000D7F4A6C740F988BA80489ABDCF8,SHA256=9AAF0EB922CB64D07F50134BBE29517E2190704A41F4B1585CCD35A21FF2C24E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:33.228{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269435C66BF59B54FBC3895C347B4B63,SHA256=1EBBB2DA8A399996A96EE5E10355C3516BBB578B640985CCD6D4F1F5B99FC3ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:34.880{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76610BD8A6825197CBCD2ED60324CB5,SHA256=0A05D34CF8820561E6ECA1B8704A2D7193FC562183F54AA272040B66ED3B6317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:34.275{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316935180418E43D955104B57279B1D0,SHA256=BDF8CAD1F17151DE78501E64F03290EC7AA23B6D336619FB52D3A37BFEF7CF71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:35.895{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CA025C4F10CD92BE92D676F4AED687,SHA256=E7EA164A4094AA9CCE1E65EE73BC46385AE8F393C41C163C9F6B0F3F6315A7C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:34.054{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61810-false10.0.1.12-8000- 23542300x80000000000000001763301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:35.696{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D333CF588D906EEBCC7A279E58D3B9B3,SHA256=72609127E8DF4872583CBF0DF7FAE6D294E7F60AD953296900D6BED6580CA931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:35.696{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF25B0C345FEBE2D70D16A2EA35511F0,SHA256=3D636A6F1C70ACB26C266B6A38164F3A3BB2E22CAE3070FE6EDB4BD0F41E5CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:35.306{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC28D4EC7F64E44B76C564596A36AFB6,SHA256=FF40BF7F83D9DADA30098DA60184BFEA63FF8189ABE476608BB9266BA0998F93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:36.910{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A2ECCCA4B4E63EA719AFD8A0BA639A,SHA256=B7783B3981F7382E1B770322C48DC65971280E8BA11C626A594103E20306E9D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:36.337{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C248A270402442D8B47B40F290C61A,SHA256=279875E21358F3D11F77771371A3E4EB0C441B83D2B4A0B909A1E2ED29BBF3CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:35.476{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49763-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001763304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:36.290{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=43FCAC11861CA9C3836AB96B30DB9B68,SHA256=68EE541FDBEBA385F957E2736EF2AD038F1834284F1330F951B8EC7C41263F84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:36.290{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6AB09A16707D2BC9A6239FDF5775CB73,SHA256=AA3C62C2412BA758EB15199DBD8911463B1195801259768B88804EF6531AB212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:37.910{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A178DA0E35E5477BB1C20B3F0132DF9,SHA256=39F076CB138ACD5EA6F488C74D69294D16632054112CC9BDF6540D5267928141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:37.353{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=858A5C92BF53C17051C45F5605F9404E,SHA256=C4C8D98059C7345594D0B7A1697E1F6198FD7AD0B47A4DE523D60A33FAA5E7B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:38.925{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF69F2847E3FCEF32AF335AE3E61521,SHA256=8A4C61830B236F85164DF49EB621DDF11396EA5672651732F51E343E9880A8C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:38.368{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0529012B48E4F7429DD04CB791496BBB,SHA256=274A979065C6AEF29326FE5CDD4D80F3575844FD591EA5E1A96F22083C4E264F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:39.940{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A629B8CF25A7A66F5C8BF5FB8CDA0E05,SHA256=8782388FEA95EFBD38AA45A3B3F808EE2466B2C24682EDA7A8577ED2E997856D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:39.384{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04AC9ACB41E5E0E1953C7B569C7E016,SHA256=9AFAA88FD8585A10EAA6FBDD5ED725045E3B7B1BE198700EC8A0C69739E45C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:40.987{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C9F96F16542135096C52335704ECDF6,SHA256=FC0E880296DBC985A4651C5166088532B6FF0AF09F6DA0892463150D999AAF67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:40.384{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C108C133A343F5A80AB913FD7DA82E2,SHA256=58634B70E295D64DDE9774D9AC4C184CA41E655BE6365D2651AE625D63F0F8DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:41.415{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA01AA278E2D2C3F119A63161464C4B,SHA256=246AA6882F28C58B0FAE5E0598158550E1F47646422EE224A2055989BDFD15AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:40.491{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49764-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001763310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:39.179{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61811-false10.0.1.12-8000- 23542300x80000000000000001669226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:42.205{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD53B269C2F98808EA3183078CA60D8A,SHA256=D50F2BE0D091ED76F49C6032EC1FB39B6126099F84A283B36C2F54C8183B67FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:42.415{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1442C792FC9477DD405DE8BDC46DA878,SHA256=5ECC8E228C2EE98CD0426A17E4C8467D0DDE2AF360B0F0B546053FCBFFDF7FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:43.439{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7E18B998DBCE3365B979AAFD7B2ACA,SHA256=D6090AE384C1ECC2A8341B2E18A1D2AA3F74739193351A750C7F89580D5F93D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:43.431{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2DC6E7190D3CED49210485D0611F8E3,SHA256=6A32D86CA5BF139B2C8B4533D918703D014974FE459BB90B46EED4C7EF05731D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:44.673{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F0461EEED23C289D0FBDE12F296ED3,SHA256=BA232DF0EA52D3E947933B3467529295CD3A6DEBC774B623DEB0EA74F2F5FC53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:44.431{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60856573165428EFEB78B27BC92167D6,SHA256=365EAE9C6913525E06777A96BA88E31D6BB825A65D08C8CC22916181C9944A89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:45.907{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B9B0F911FC8F3254EF7BD0FD5824A8,SHA256=DBE0D1C75E53A98B9FE672610C11D1DB17F61A36897D9B0FB54CBA47DEE9C373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:45.462{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3B4810E30631A42E7E13050C5B89DC7,SHA256=A53E91BFEF3C7F1982AC2BB036D54CCC084FB44B3307968ABDF972F6AA24DA97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:46.938{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBEBB6E3DB8764100616418D34FBAAFE,SHA256=5987642C9F7A3EA346C1620F50F0E37B980DCDB5864814BDD9B8ECF47EB14D87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:46.478{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F14495FBC9775F4F4786183FC4AA62F2,SHA256=F6BFCA07B9B9EED523FD98A77A5253013719B1B9BEC26FF80271605A2F72C700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:47.509{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE9480D564D477DF5556DFB4A5C4ACE,SHA256=AD2101094C97D55C447A63E4F619B8E8C968D7F751BBBDDC8B86FE1AA8688207,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:45.179{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61812-false10.0.1.12-8000- 23542300x80000000000000001763319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:48.540{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C1868EEBEF6AA563DB4B88A835672A,SHA256=B1821FEDC03360B6002F5DB42E8A5C43D1FBADB2EDD1CC5909FD1B61D8448B69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:48.391{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:48.375{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:48.375{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:48.375{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:48.375{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:48.375{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:48.375{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:48.375{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:48.375{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:48.375{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:48.375{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:48.375{69CF5F33-BF40-6156-1600-000000000002}12041344C:\Windows\system32\svchost.exe{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\wbem\wmisvc.dll+2624|c:\windows\system32\wbem\wmisvc.dll+2491|C:\Windows\SYSTEM32\ntdll.dll+7de1d|C:\Windows\SYSTEM32\ntdll.dll+3a969|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001669233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:48.219{69CF5F33-BF40-6156-1100-000000000002}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F4F030CC3AC83D1F63A4395FB4F337EB,SHA256=A418C5839B4C72E4ECB609D2D5336CA6425F59FB57B10D7277429FF6B0D031CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:45.507{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49765-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:48.016{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC9E5ED3C7DD60D5575F8389B0EE0A3,SHA256=37E48F91E8A7C64C49BED083EB3543B2D2939DB41D73BA690AFE50D3D6A41F36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:49.571{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717610753A97093FE4D2232A308E4947,SHA256=C45F7094362AB6E40301E2FE5E4752D541F46B33C399F0BAEECF0EB74D956395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:49.438{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D61A6C4F4E578AA505775334869492F6,SHA256=71A7A9E53E39C545765A46C50EFF507433956D56FDD1B0CA8ED03E086BEE7A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:49.422{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2D8302775F9022B17917CEBD25F3F7F,SHA256=A885E7B3D5418933A91A2D665A74BA7012F82914B45F4BEE16C349458522B65B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:49.063{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51929FE87A8F71F8CC819981731CD91C,SHA256=47F41F73B15DF455AB7A22B460EB5D85A77354782D8050A1DF9C46204BBD660F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:50.618{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E55D1BC32D095A16A7FD47DE904765,SHA256=12913C1FC42D749CB4CA4EA702F6EFD82233EABA4F805CF9583D8F40EB81C93F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001669250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:00:50.968{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69a-0x737fbf37) 23542300x80000000000000001669249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:50.297{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6329F05B530894F1E778B791638B937A,SHA256=17240E77AC70FE24C57BE318B5449DE0713A2C808D0E075A937413F2B1390F5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:51.531{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1093E822EEE75FE591A67FBE045D08F6,SHA256=6F1F709A8A61CB199A6BEDCD27BE2314525FE5313FA5D540F80F2DDF9F50797E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:51.900{5EBD8912-BF43-6156-1200-000000000002}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=483063AC03C2A287C5C97F5F665426F9,SHA256=B76DD024947C35FF98BFDCBF4313F9854467F3DB3186687ACC68EB33112E61E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:51.650{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5520A2CD4DD15000D44E2557AA9014D2,SHA256=B592C8C0F4C836E5A62ABB1022696EEC69E8821F3BF2A607B1DFEE703C79C746,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:52.671{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED180710165BACECFF1C7A817334124,SHA256=4F3E18DB8AB4857066686C79B670885A1CEC69612A6838A6607B239CEBB4E835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.962{5EBD8912-BF43-6156-1600-000000000002}1296NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF3cb5f.TMPMD5=64255F9BA7FEB4681E543354F94A7F59,SHA256=484B1EA6018E5CCEC313176A019B8E69F6A7A08109DAC24B61BDE9579E4F794C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.900{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-C034-6156-B600-000000000002}652C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.900{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-C034-6156-B600-000000000002}652C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.900{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C034-6156-B600-000000000002}652C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001763419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 08:00:52.837{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001763418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 08:00:52.837{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0003cae2) 13241300x80000000000000001763417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 08:00:52.837{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b692-0x12f46401) 13241300x80000000000000001763416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 08:00:52.837{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b69a-0x74b8cc01) 13241300x80000000000000001763415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 08:00:52.837{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b6a2-0xd67d3401) 10341000x80000000000000001763414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.806{5EBD8912-BF41-6156-0B00-000000000002}636676C:\Windows\system32\lsass.exe{5EBD8912-C034-6156-B500-000000000002}5444C:\Windows\System32\sihclient.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.806{5EBD8912-BF41-6156-0B00-000000000002}636676C:\Windows\system32\lsass.exe{5EBD8912-C034-6156-B500-000000000002}5444C:\Windows\System32\sihclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.806{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.790{5EBD8912-BF41-6156-0B00-000000000002}636676C:\Windows\system32\lsass.exe{5EBD8912-C034-6156-B600-000000000002}652C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.790{5EBD8912-BF41-6156-0B00-000000000002}636676C:\Windows\system32\lsass.exe{5EBD8912-C034-6156-B600-000000000002}652C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.759{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.759{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.759{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001763406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.759{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.759{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.759{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.759{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.759{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.759{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001763400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.759{5EBD8912-BF43-6156-1600-000000000002}1296NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF3ca94.TMPMD5=EDCA8279DF9DC94813D8498148900D92,SHA256=CB5A99E0204BADCFDB2DAAFED6B0F2C9E5AC3C01CBBC84FD6998555EC273E174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.728{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E6BDE15FB8794EB2857A75E201EE9B26,SHA256=25AC8CA813AFA74583F0DB18B93ECC9A4E1001EC972FB358F4A6FAB4F653C695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.712{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8900898D1D0E1825D6A82E89317E6949,SHA256=0898A69B55A47520D4D05D2A84E4EBD1C855484D5C11411E75E43C1115698054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.697{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B82B42FC9F667F05FF9D71DBE9E59C4,SHA256=988EBD208C9E411E9BD90714DA0B1D81BF4450B0C2E0155151EB1EC7CF548B3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:52.312{69CF5F33-C030-6156-8C00-000000000002}4044NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\wbem\Performance\WmiApRpl.hMD5=B133A676D139032A27DE3D9619E70091,SHA256=AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:50.569{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49766-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001763396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.618{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.618{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.618{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.618{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.618{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.618{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001763390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.603{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB6A44801F619ADE0D6E7D9B8C656D0,SHA256=CFE7928ACDD31A0DBA2AC209A4181F688E9C9CA806BFDFB4ACB88D286C130714,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.587{5EBD8912-BF43-6156-1600-000000000002}12961364C:\Windows\system32\svchost.exe{5EBD8912-C034-6156-B400-000000000002}5436C:\Windows\system32\usoclient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\usocore.dll+210d2|c:\windows\system32\usocore.dll+15924|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001763388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.478{5EBD8912-BF41-6156-0B00-000000000002}636676C:\Windows\system32\lsass.exe{5EBD8912-C034-6156-B200-000000000002}5424C:\Windows\system32\devicecensus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.478{5EBD8912-BF41-6156-0B00-000000000002}636676C:\Windows\system32\lsass.exe{5EBD8912-C034-6156-B200-000000000002}5424C:\Windows\system32\devicecensus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.431{5EBD8912-BFA9-6156-8100-000000000002}37161076C:\Windows\system32\csrss.exe{5EBD8912-C034-6156-B900-000000000002}5496C:\Windows\system32\devicecensus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.431{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C034-6156-B900-000000000002}5496C:\Windows\system32\devicecensus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.431{5EBD8912-C034-6156-B200-000000000002}54245428C:\Windows\system32\devicecensus.exe{5EBD8912-C034-6156-B900-000000000002}5496C:\Windows\system32\devicecensus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\devicecensus.exe+15de|C:\Windows\system32\devicecensus.exe+24a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.431{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C034-6156-B200-000000000002}5424C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.431{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C034-6156-B200-000000000002}5424C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.431{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C034-6156-B200-000000000002}5424C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.431{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C034-6156-B200-000000000002}5424C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.431{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C034-6156-B200-000000000002}5424C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.431{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C034-6156-B200-000000000002}5424C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.431{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C034-6156-B200-000000000002}5424C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001763376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.415{5EBD8912-BF43-6156-1600-000000000002}1296NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=46669DF1D878FAE15AE927F3F2BBE72B,SHA256=02A0358BFC90A577DE62E9630CA109E5C5D98A2D0AA55A4432133A70F17EF856,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.353{5EBD8912-C034-6156-B800-000000000002}22244512C:\Windows\system32\conhost.exe{5EBD8912-C034-6156-B500-000000000002}5444C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.353{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C034-6156-B400-000000000002}5436C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.337{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C034-6156-B800-000000000002}2224C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.337{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-C034-6156-B600-000000000002}652C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.337{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.337{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.337{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.337{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.337{5EBD8912-C034-6156-B700-000000000002}47205452C:\Windows\system32\conhost.exe{5EBD8912-C034-6156-B400-000000000002}5436C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.321{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C034-6156-B600-000000000002}652C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.321{5EBD8912-BF43-6156-1600-000000000002}12961512C:\Windows\system32\svchost.exe{5EBD8912-C034-6156-B600-000000000002}652C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.321{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.321{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.321{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.321{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.321{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C034-6156-B500-000000000002}5444C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.321{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C034-6156-B700-000000000002}4720C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.321{5EBD8912-BF43-6156-1600-000000000002}12961364C:\Windows\system32\svchost.exe{5EBD8912-C034-6156-B500-000000000002}5444C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C034-6156-B300-000000000002}4856C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-C034-6156-B300-000000000002}4856C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C034-6156-B200-000000000002}5424C:\Windows\system32\devicecensus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C034-6156-B400-000000000002}5436C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-1600-000000000002}12961476C:\Windows\system32\svchost.exe{5EBD8912-C034-6156-B200-000000000002}5424C:\Windows\system32\devicecensus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-1600-000000000002}12961316C:\Windows\system32\svchost.exe{5EBD8912-C034-6156-B400-000000000002}5436C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-0C00-000000000002}8443816C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-0C00-000000000002}8443816C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-0C00-000000000002}844884C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-0C00-000000000002}844956C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.306{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.149{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.134{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.134{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.134{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.134{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.134{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.134{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\wbem\wmisvc.dll+2624|c:\windows\system32\wbem\wmisvc.dll+2491|C:\Windows\SYSTEM32\ntdll.dll+7de1d|C:\Windows\SYSTEM32\ntdll.dll+3a969|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001669255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:53.733{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A202AB78DE42675629165E61E5BD9A18,SHA256=87FDEBB592F477E73223074CC148DEE1E37C63E960FD0A3262D24CC330191DF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.759{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D854CAB7B802D9BFA8833D0C48AB76,SHA256=AD515847226AD48CF317F2F6448F0A1067FC460861B0AE392AB2F7AECB3C366A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.728{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D182D0194BEFBB8C55B21E81B736E5F7,SHA256=46602773D21ED0F53638C37F2D26B96E7B18A9661B45E4F2B8C3EAD649D10BE6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-0E00-000000000002}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-0E00-000000000002}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.681{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001763447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:51.054{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61813-false10.0.1.12-8000- 23542300x80000000000000001763446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.556{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E809C362FEFB7D3636C2CAA8F02C5382,SHA256=759E807E63F814BE54CF832960A7D82EFC67D528171F2B7895A534ACE4B11B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.556{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=43FCAC11861CA9C3836AB96B30DB9B68,SHA256=68EE541FDBEBA385F957E2736EF2AD038F1834284F1330F951B8EC7C41263F84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.353{5EBD8912-C034-6156-BA00-000000000002}4176ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Pending Pings\35544760-B409-4B5B-B16B-751866905589MD5=C293188433C64245E18F9F731BF84600,SHA256=127709B0DE57516104337CC35758440376958E21EAE9167E8B7771E2BED71844,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.321{5EBD8912-BF43-6156-1400-000000000002}10641184C:\Windows\system32\svchost.exe{5EBD8912-C034-6156-B500-000000000002}5444C:\Windows\System32\sihclient.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.196{5EBD8912-BF43-6156-1400-000000000002}10641184C:\Windows\system32\svchost.exe{5EBD8912-C034-6156-B500-000000000002}5444C:\Windows\System32\sihclient.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001763441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.149{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADFBFC84BABCAB8C353CDBCC10FF9B7A,SHA256=4BC4D23D959B28ABA0C3ABA7D6F5EE447D4F29104BF9A3D127B4252800D30325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.149{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D333CF588D906EEBCC7A279E58D3B9B3,SHA256=72609127E8DF4872583CBF0DF7FAE6D294E7F60AD953296900D6BED6580CA931,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.118{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.103{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-C034-6156-BA00-000000000002}4176C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.103{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-C034-6156-BA00-000000000002}4176C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001763436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.087{5EBD8912-BF43-6156-1600-000000000002}1296NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF3cbdc.TMPMD5=523BB9B81D2C76786205F9C24C100D1B,SHA256=D54F2E324DE3516517B58D836945989BB5F0AB3C214E1F387CDC33C4C8C30438,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.071{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-C035-6156-BB00-000000000002}5828C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.071{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-C035-6156-BB00-000000000002}5828C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.071{5EBD8912-C035-6156-BB00-000000000002}58285740C:\Windows\system32\conhost.exe{5EBD8912-C034-6156-BA00-000000000002}4176C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.040{5EBD8912-BFA9-6156-8100-000000000002}37161076C:\Windows\system32\csrss.exe{5EBD8912-C035-6156-BB00-000000000002}5828C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x80000000000000001763431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.024{5EBD8912-BF43-6156-1600-000000000002}1296NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF3cb9e.TMPMD5=2755B10EF60FC96C37886193F0B20E55,SHA256=D35EA34ADEDDA5D42C5445A7D8B913DADA0946574BB79910C788CFA8CE0B27CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.993{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.993{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.993{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.993{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.993{5EBD8912-BFA9-6156-8100-000000000002}37161076C:\Windows\system32\csrss.exe{5EBD8912-C034-6156-BA00-000000000002}4176C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.993{5EBD8912-C034-6156-B600-000000000002}6523192C:\Program Files\Mozilla Firefox\default-browser-agent.exe{5EBD8912-C034-6156-BA00-000000000002}4176C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\default-browser-agent.exe+39f65|C:\Program Files\Mozilla Firefox\default-browser-agent.exe+3c30e|C:\Program Files\Mozilla Firefox\default-browser-agent.exe+57ce8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.998{5EBD8912-C034-6156-BA00-000000000002}4176C:\Program Files\Mozilla Firefox\pingsender.exe92.0-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/default-browser-agent/default-browser/1/35544760-B409-4B5B-B16B-751866905589 "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Pending Pings\35544760-B409-4B5B-B16B-751866905589"C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=8A5233CE7A88489D05FEF9BB7AE52572,SHA256=0888DF51AA62CAF8E02C97564FF4BDCEDCF8CC0B6091753F7D9D4389689BA825,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{5EBD8912-C034-6156-B600-000000000002}652C:\Program Files\Mozilla Firefox\default-browser-agent.exe"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task "308046B0AF4A39CB" 23542300x80000000000000001763509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:54.774{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BAD95AC214A2727154381C58F319576,SHA256=090436A31079CA6DA7CB77301FF12D0E67D33E306F09A252A5425AA94F3EF640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:54.764{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18CEA0407A8C9301F80EBF7A7C465854,SHA256=3BC914EBDF3461B6A656D213DE966C85E08A65FF6BF9C9C933FAB3CC194D8CD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.161{5EBD8912-C034-6156-BA00-000000000002}4176C:\Program Files\Mozilla Firefox\pingsender.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local61819-false93.184.220.29-80http 354300x80000000000000001763507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:53.139{5EBD8912-C034-6156-BA00-000000000002}4176C:\Program Files\Mozilla Firefox\pingsender.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local61818-false35.227.207.240240.207.227.35.bc.googleusercontent.com443https 354300x80000000000000001763506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.945{5EBD8912-C034-6156-B500-000000000002}5444C:\Windows\System32\SIHClient.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61815-false52.152.110.14-443https 354300x80000000000000001763505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.875{5EBD8912-C034-6156-B600-000000000002}652C:\Program Files\Mozilla Firefox\default-browser-agent.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local61817-false93.184.220.29-80http 354300x80000000000000001763504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.872{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57798- 354300x80000000000000001763503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.839{5EBD8912-C034-6156-B600-000000000002}652C:\Program Files\Mozilla Firefox\default-browser-agent.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local61816-false13.226.145.33server-13-226-145-33.dus51.r.cloudfront.net443https 354300x80000000000000001763502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.817{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61814-false51.124.78.146-443https 354300x80000000000000001763501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.817{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58488- 354300x80000000000000001763500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:52.807{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64723- 23542300x80000000000000001763499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:54.556{5EBD8912-BF53-6156-2C00-000000000002}3016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:55.983{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6688D0E853D440C338D1DA546E93AE18,SHA256=6479E0CF785359AE06A81F676BE1615DAAE0F328043E083DC0DB7B082139E6D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:55.790{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE66B9A7628EF030E45DA63B30198474,SHA256=39086865C0AAFFFF8182D4394248B84CFC6DF62D73A7682F797C1FFE67E64BC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:55.345{69CF5F33-BF40-6156-1C00-000000000002}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20211001075651-003MD5=E2350FF87285264FC2F693171FD6908F,SHA256=DD0C2B6A4BAA6FC008B19D4F8AE41D7B35D93255AA75D9D1AFF144D5A1F933A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:56.837{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1657582E797A84552991DA4C53465B6,SHA256=E80DD76DB329C21D2B2C76411A7ED4C0A8341958E4F1BE9C9A0894E0379A751D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:56.358{69CF5F33-BF40-6156-1C00-000000000002}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20211001075649-004MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:54.554{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61820-false10.0.1.12-8089- 354300x80000000000000001763512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:54.461{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61146- 354300x80000000000000001763511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:54.461{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59239- 23542300x80000000000000001763516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:57.853{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9352EA670BFB339BC41BE4FCFE7443E,SHA256=019948D0C80835FD69149C6332DC0FA1FE0D74B2FE0BC7C3F741CA4173D08AA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:57.810{69CF5F33-BF40-6156-1A00-000000000002}1872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:56.507{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49767-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:57.170{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4F94144787BE4027A21B24DCA23D32,SHA256=DE05347A687FEFAC83263C71A50C98EE2FC9AC11CB6988B1EDBB956F52E8321B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:57.759{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADFBFC84BABCAB8C353CDBCC10FF9B7A,SHA256=4BC4D23D959B28ABA0C3ABA7D6F5EE447D4F29104BF9A3D127B4252800D30325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:58.931{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F58E6EF71D95D12621CABFF78BB890,SHA256=157D90BCB73F3DDF0C5EC8878335C149BE4EAFE8597826BB1FAE1DAD5CFB37CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:58.294{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756CC32E0F8121AAA07417842DFF8A02,SHA256=9B96BB48D4112D068EFD3E556E0E45BC5D5C7B0678A24E613B614F3CB4BD4E83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:57.054{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61821-false10.0.1.12-8000- 354300x80000000000000001763517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:55.877{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-60075-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001763521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:59.931{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE36B36F81BFE667D198845F188402E4,SHA256=0BE66DB8D42F440782E4848EAC7B50BD0858E870E7A5EF30236BC6EC22C124B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:59.497{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D42CFF53324C2230FCAF7D36425806E9,SHA256=D56DD0FB3B0B4D31ADE1246093873F56CEE52E7D962A1DA12CAA982717330EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:59.462{5EBD8912-C034-6156-B100-000000000002}5392NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\wbem\Performance\WmiApRpl.hMD5=B133A676D139032A27DE3D9619E70091,SHA256=AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:00:58.194{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49768-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001763523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:00.946{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B307082C36D1859DE011B70F0C97877,SHA256=6720F849BBF9C0FFF78C66B464CDEB41A6C2B93D1EE7939175541F8871821D23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.919{69CF5F33-C03C-6156-8E00-000000000002}35763584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.700{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C03C-6156-8E00-000000000002}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.700{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.700{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.700{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.700{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.700{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.700{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.700{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.700{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.700{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.700{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C03C-6156-8E00-000000000002}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.700{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C03C-6156-8E00-000000000002}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.701{69CF5F33-C03C-6156-8E00-000000000002}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001669279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.513{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F8E26821357658EA69B601A5B13A4CA,SHA256=964AF415BA6D20C7F271141C115530FA74C55CFA2A9BE02EC4A54DBB5CD49B0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:00:58.616{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57765- 10341000x80000000000000001669278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.028{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C03C-6156-8D00-000000000002}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.028{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.028{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.028{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.028{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.028{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.028{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.028{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.028{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.028{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.028{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C03C-6156-8D00-000000000002}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.028{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C03C-6156-8D00-000000000002}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:00.029{69CF5F33-C03C-6156-8D00-000000000002}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:01.946{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A5FC72E0CB5C5674E8A2F901C6A0A0,SHA256=1D6307E219CC8E133DCFCED3705B1D334994A6F7EE1CC51DE70DF55ED2AC9C6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:01.684{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C03D-6156-8F00-000000000002}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:01.684{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:01.684{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:01.684{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:01.684{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:01.684{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:01.684{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:01.684{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:01.684{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:01.684{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:01.684{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C03D-6156-8F00-000000000002}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:01.684{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C03D-6156-8F00-000000000002}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:01.685{69CF5F33-C03D-6156-8F00-000000000002}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001669296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:01.637{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE3D150A074D27EBE6AA83E02222679,SHA256=3C1B8BA41F9C4A5B3E86B32F4A8EB8100193FC80BC31CB623B35296284208BB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:01.044{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3609104F1209DEF62018C58B9AE5EBB4,SHA256=76137862225A72B05ED5B98CC2B5FD37388E2362CDF9E85DAD19003A3A5F0A2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:01.044{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D61A6C4F4E578AA505775334869492F6,SHA256=71A7A9E53E39C545765A46C50EFF507433956D56FDD1B0CA8ED03E086BEE7A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:02.962{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19EA19D38ACCFCD929054A432E728B0D,SHA256=4CCC8BB5CF3D392BD1A95F9386BB625F3636C728D5C3CF7141FAE4D038A85365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:02.856{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563225F547673B8F47552E763E93E05E,SHA256=9F90BE29F114D1D60924B056180ABFCDDF124FD1DE5CA6CFC996138BDEBF74B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:02.778{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3609104F1209DEF62018C58B9AE5EBB4,SHA256=76137862225A72B05ED5B98CC2B5FD37388E2362CDF9E85DAD19003A3A5F0A2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:01.538{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49769-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:03.934{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974D94F9DA7E66AB7272C4B115A63BA5,SHA256=B72A96E89DB3401AEEFDC0CF288CA7CC5E1F94351B8CEF31C4D58A6CBFAC2B9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:03.993{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A90983A4684B65DF82D7692EF99BE6,SHA256=DE5EF7EFE2AC2E42F81979F79AE2E0D7C25B5265F856ECE052C128FE9A27E814,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:03.512{69CF5F33-C03F-6156-9000-000000000002}33203472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:03.356{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C03F-6156-9000-000000000002}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:03.356{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:03.356{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:03.356{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:03.356{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:03.356{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:03.356{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:03.356{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:03.356{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:03.356{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:03.356{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C03F-6156-9000-000000000002}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:03.356{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C03F-6156-9000-000000000002}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:03.356{69CF5F33-C03F-6156-9000-000000000002}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001669355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.980{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C040-6156-9200-000000000002}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.980{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.980{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.980{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.980{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.980{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.980{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.980{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.980{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.980{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.980{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C040-6156-9200-000000000002}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.980{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C040-6156-9200-000000000002}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.981{69CF5F33-C040-6156-9200-000000000002}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001669342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.449{69CF5F33-C040-6156-9100-000000000002}4363136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001669341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.371{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDF10EC99CA88EA0D519F5D0C46C7724,SHA256=C17439CB02716A94CBEE3974F9206425DEC1570350697DAAA42E1EECF2FDAF4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.308{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C040-6156-9100-000000000002}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.308{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.308{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.308{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.308{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.308{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.308{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.308{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.308{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.308{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.308{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C040-6156-9100-000000000002}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.308{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C040-6156-9100-000000000002}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:04.309{69CF5F33-C040-6156-9100-000000000002}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001669357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:05.589{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9ED674D256C12A186284F22DC6BFE37,SHA256=C0F6A658C3CB4B0736DB5FF3D8DD98DB9376134A57E4791E814A7A0DDBEE5CA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:05.121{69CF5F33-C040-6156-9200-000000000002}704532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001763528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:03.023{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61822-false10.0.1.12-8000- 23542300x80000000000000001763527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:05.009{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47AEBE25FE864702658916885AD4E102,SHA256=8DC72A280B59D63F4F8CE5840A2010C5FE4B1CD1BFBCE683292E8476C9F42736,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:06.558{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C042-6156-9300-000000000002}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:06.558{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:06.558{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:06.558{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:06.558{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:06.558{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:06.558{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:06.558{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:06.558{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:06.558{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:06.558{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C042-6156-9300-000000000002}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:06.558{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C042-6156-9300-000000000002}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:06.558{69CF5F33-C042-6156-9300-000000000002}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 12241200x80000000000000001669384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-10-01 08:01:06.480{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 13241300x80000000000000001669383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:06.480{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List25942 25948 25958 25968 25988 26032 26042 26080 26086 26102 13241300x80000000000000001669382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:06.480{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First HelpDWORD (0x00006557) 13241300x80000000000000001669381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:06.480{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First CounterDWORD (0x00006556) 13241300x80000000000000001669380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:06.480{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last HelpDWORD (0x000065fd) 13241300x80000000000000001669379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:06.480{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last CounterDWORD (0x000065fc) 13241300x80000000000000001669378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:06.480{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x000065fd) 13241300x80000000000000001669377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:06.480{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x000065fc) 23542300x80000000000000001669376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:06.464{69CF5F33-C030-6156-8C00-000000000002}4044NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\PerfStringBackup.TMPMD5=9ABBDD19649DE87A9267DFBD8E86CD54,SHA256=91E0C1CF2E088BE34332313E71628CD704740FE518D3D7C0B0A32CEB60805C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:06.417{69CF5F33-C030-6156-8C00-000000000002}4044NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\PerfStringBackup.INIMD5=9ABBDD19649DE87A9267DFBD8E86CD54,SHA256=91E0C1CF2E088BE34332313E71628CD704740FE518D3D7C0B0A32CEB60805C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:06.214{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F211C45947C7AA224D1D7E6248D9B906,SHA256=EC27C1FA1EF17F35B375A20D60EB2B57201117CB4C1E1B695610FD3B3FFA2FD2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001669373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:06.214{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 23542300x80000000000000001669372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:06.214{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F7F6638C0F51A57A7B51B0B43BFD116,SHA256=EE7D26FE32B3C124F79C206660ABB0AC995041A15C7C92BEBD65097B47483DAE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001669371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:06.214{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\PerfIniFileWmiApRpl.ini 23542300x80000000000000001763529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:06.040{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2CF35297FFFA9346FDF9B12905319A6,SHA256=F01B7FA716C35FDCC05000048D9A8829F1AC5A486F81F520484C954CD68839FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:06.199{69CF5F33-C030-6156-8C00-000000000002}4044NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:06.199{69CF5F33-C030-6156-8C00-000000000002}4044NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\WmiApRpl.hMD5=B133A676D139032A27DE3D9619E70091,SHA256=AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:06.199{69CF5F33-C030-6156-8C00-000000000002}4044NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\0009\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001669367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-10-01 08:01:06.199{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 12241200x80000000000000001669366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-10-01 08:01:06.199{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List 12241200x80000000000000001669365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-10-01 08:01:06.199{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Help 12241200x80000000000000001669364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-10-01 08:01:06.199{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Help 12241200x80000000000000001669363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-10-01 08:01:06.199{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Counter 12241200x80000000000000001669362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-10-01 08:01:06.199{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Counter 13241300x80000000000000001669361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:06.199{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x00006555) 13241300x80000000000000001669360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:06.199{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x00006554) 13241300x80000000000000001669359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:06.167{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 23542300x80000000000000001669358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:06.167{69CF5F33-C030-6156-8C00-000000000002}4044NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\wbem\Performance\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:07.558{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37253C45CD7031AA767CC26E7A777582,SHA256=74DCF44BEE9EB5C45F8001ABEDCF8331DF8E9AE3CF0F847FB56062F7041BD237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:07.261{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0447FC09FE6E353A15E7D0AA6D26BF87,SHA256=C827E33CA3504C35F4B0AA30E43A1CB794704A297B84BAFCB5C93D94213E0A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:07.056{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB71994B52BC502A91231AA1E0EAFF9,SHA256=4C2B9007A4F86B14BABB15CFF715839E423A9DACC59D187401F2AC0D230891F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:07.214{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C2BBE77060251990CBB109389A8118D4,SHA256=EAE7D85C541D7B04BAECB8655CBA550B5F1C23DE0090BF52597190153E537A9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:07.214{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=038812951D0031FF7018EB59EFD4EBC0,SHA256=DEFDF0550A76A867BF57DDBEA48EA9E41838B582156B47AAAC45A6F8A00ED3F9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001669404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:01:08.698{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69a-0x7e111149) 354300x80000000000000001669403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:07.509{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49770-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:08.292{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB92D011D82DB9C7D468415DACDBCFEF,SHA256=FBDF05D3D846A6B6635D3D23E88FC6BF4C111D46473AB2B6BCC2B4A58DC0BB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:08.071{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80512EDB14E3D6B311DB8225C0D89B75,SHA256=CC61F383D9DD3ECEDF9FED12CCC903641602DC5737E57E6EBB0EE150C24ADD7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:09.511{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3303242647C7F584C3B31C8E659C9CA3,SHA256=EDFDE749FC68343B80F343FE9B5773B13B9C7F69617274389F06475A6CA166BD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001763547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:09.868{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 13241300x80000000000000001763546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:09.868{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\PerfIniFileWmiApRpl.ini 23542300x80000000000000001763545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:09.868{5EBD8912-C034-6156-B100-000000000002}5392NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:09.868{5EBD8912-C034-6156-B100-000000000002}5392NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\WmiApRpl.hMD5=B133A676D139032A27DE3D9619E70091,SHA256=AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:09.868{5EBD8912-C034-6156-B100-000000000002}5392NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\0009\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001763542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-10-01 08:01:09.853{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 12241200x80000000000000001763541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-10-01 08:01:09.853{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List 12241200x80000000000000001763540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-10-01 08:01:09.853{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Help 12241200x80000000000000001763539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-10-01 08:01:09.853{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Help 12241200x80000000000000001763538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-10-01 08:01:09.853{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Counter 12241200x80000000000000001763537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-10-01 08:01:09.853{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Counter 13241300x80000000000000001763536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:09.853{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x000068e3) 13241300x80000000000000001763535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:09.853{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x000068e2) 13241300x80000000000000001763534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:09.837{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 23542300x80000000000000001763533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:09.837{5EBD8912-C034-6156-B100-000000000002}5392NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\wbem\Performance\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:09.103{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1094B0DF94DCAA6CACA5D6CE9E02D084,SHA256=F19FE7B6003A79C7FE3993AB621FF79E9B0515AD84124645B44DAE0246B0F39E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001669419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:10.997{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshedDWORD (0x00000001) 13241300x80000000000000001669418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:10.997{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshDWORD (0x00000000) 13241300x80000000000000001669417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:10.997{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\ena.sys[NdisMofResource]LowDateTime:-575650048,HighDateTime:30874337***Binary mof compiled successfully 13241300x80000000000000001669416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:10.997{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\intelppm.sys.mui[PROCESSORWMI]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000001669415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:10.997{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\intelppm.sys[PROCESSORWMI]LowDateTime:-2024749675,HighDateTime:30736945***Binary mof compiled successfully 13241300x80000000000000001669414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:10.997{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\mssmbios.sys.mui[MofResource]LowDateTime:-592857982,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000001669413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:10.997{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\mssmbios.sys[MofResource]LowDateTime:2077700573,HighDateTime:30531428***Binary mof compiled successfully 13241300x80000000000000001669412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:10.997{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\ACPI.sys.mui[ACPIMOFResource]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000001669411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:10.997{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\ACPI.sys[ACPIMOFResource]LowDateTime:-1594147734,HighDateTime:30671341***Binary mof compiled successfully 13241300x80000000000000001669410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:10.997{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\en-US\kernelbase.dll.mui[MofResourceName]LowDateTime:-1711938829,HighDateTime:30871737***Binary mof compiled successfully 13241300x80000000000000001669409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:10.997{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\kernelbase.dll[MofResourceName]LowDateTime:1488817152,HighDateTime:30878798***Binary mof compiled successfully 12241200x80000000000000001669408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashDeleteKey2021-10-01 08:01:10.997{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE 13241300x80000000000000001669407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:10.997{69CF5F33-C030-6156-8C00-000000000002}4044\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance DataBinary Data 23542300x80000000000000001669406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:10.527{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204A2916A566EC5F9DC4A96D461021B5,SHA256=230016238CC171EE8E92904CD8D4DCF15020E3B8178FB6456712AB32016E6F16,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:08.147{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61823-false10.0.1.12-8000- 23542300x80000000000000001763558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:10.212{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5247D7D6A8C04584511D7E88ABB1BCD,SHA256=80C3B08B66852A3D6AC7ABC305806BD251D898594074EBDD9D56E2ABCF3F889C,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001763557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-10-01 08:01:10.149{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 13241300x80000000000000001763556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:10.149{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List26852 26858 26868 26878 26898 26942 26952 26990 26996 27012 13241300x80000000000000001763555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:10.149{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First HelpDWORD (0x000068e5) 13241300x80000000000000001763554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:10.149{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First CounterDWORD (0x000068e4) 13241300x80000000000000001763553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:10.149{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last HelpDWORD (0x0000698b) 13241300x80000000000000001763552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:10.149{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last CounterDWORD (0x0000698a) 13241300x80000000000000001763551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:10.149{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x0000698b) 13241300x80000000000000001763550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:10.149{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x0000698a) 23542300x80000000000000001763549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:10.134{5EBD8912-C034-6156-B100-000000000002}5392NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\PerfStringBackup.TMPMD5=B789ED3F1E4F8004A62A5E04013A257F,SHA256=6409D10C807D556D130DDE4042F03F3A06CD8F72D01D385716167D16171DBF7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:10.087{5EBD8912-C034-6156-B100-000000000002}5392NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\PerfStringBackup.INIMD5=B789ED3F1E4F8004A62A5E04013A257F,SHA256=6409D10C807D556D130DDE4042F03F3A06CD8F72D01D385716167D16171DBF7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:11.653{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44F75184E15D88B51DF2096256CB6D0,SHA256=1BABA3746B048F916B816D60C2A8E082461F75593D6CB0958A665B32AD36C6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:11.227{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC0DCD76337CA1C5D8DB2ED7DCC1BE3,SHA256=DFBE0D19948227B3A0CC1BDCEB8B651C98599B7DD15034A4CA8878CE91CCACFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:11.009{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9B620A2FEEE426546018E69C150BB3C5,SHA256=7A6FAE6D8EA0FABD6EB2BD8A07855B820916A28383C1163FBEEB06296C8079A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:11.009{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6FE561CAB69E0F5AB49BEACF2942B970,SHA256=BDAEF501D29C5FEC2CCDA8F7CBFA82172DF7969B5DC403409295E2C7CFB7AAF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:12.873{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00195B7E55F15118717CD04779144881,SHA256=A121B69BE10F24DFF684FB0E5209D8F174F6A6631840DA6150B0E2374F225F66,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:10.739{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse45.141.87.54-64220-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001763563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:12.228{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F761A209C893CE834680361DC1AB8AAF,SHA256=7D8F118709232C97718FF92A9F359413B2C57DCEAE9BA1BDDADA0D855FC64593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:13.889{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E59850ED026312DF4F166659885C56E5,SHA256=2B8D0876DF4E2CB22F705F8F7080E628962BB37FE084807F0C0CFB2F5B4442E3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001763578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:13.884{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshedDWORD (0x00000001) 13241300x80000000000000001763577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:13.884{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshDWORD (0x00000000) 13241300x80000000000000001763576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:13.884{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\ena.sys[NdisMofResource]LowDateTime:-575650048,HighDateTime:30874337***Binary mof compiled successfully 13241300x80000000000000001763575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:13.884{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\intelppm.sys.mui[PROCESSORWMI]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000001763574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:13.884{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\intelppm.sys[PROCESSORWMI]LowDateTime:-2024749675,HighDateTime:30736945***Binary mof compiled successfully 13241300x80000000000000001763573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:13.884{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\mssmbios.sys.mui[MofResource]LowDateTime:-592857982,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000001763572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:13.884{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\mssmbios.sys[MofResource]LowDateTime:2077700573,HighDateTime:30531428***Binary mof compiled successfully 13241300x80000000000000001763571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:13.884{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\ACPI.sys.mui[ACPIMOFResource]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000001763570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:13.884{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\ACPI.sys[ACPIMOFResource]LowDateTime:-1594147734,HighDateTime:30671341***Binary mof compiled successfully 13241300x80000000000000001763569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:13.884{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\en-US\kernelbase.dll.mui[MofResourceName]LowDateTime:-1711938829,HighDateTime:30871737***Binary mof compiled successfully 13241300x80000000000000001763568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:13.884{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\kernelbase.dll[MofResourceName]LowDateTime:1488817152,HighDateTime:30878798***Binary mof compiled successfully 12241200x80000000000000001763567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteKey2021-10-01 08:01:13.884{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE 13241300x80000000000000001763566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-10-01 08:01:13.884{5EBD8912-C034-6156-B100-000000000002}5392\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance DataBinary Data 23542300x80000000000000001763565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:13.274{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E88117AC8D90ADC3137E7B652446C50E,SHA256=170EFA01ED20F3E81E1779CE37D3AA27F589EE843206A7A9872900531A109256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:14.822{5EBD8912-BF53-6156-2600-000000000002}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20211001075710-003MD5=E961008872A85D9E7B2EDCDB9076BE5A,SHA256=4C7B4263F3F8553ACCFCCC53A0FA56737D447810FFCB4A43A3BA8D688A9FDFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:14.319{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C7DFA81CBA23A9F741A52A8D5283CF,SHA256=AABC3B79C492CA2E3658B089953656D68C144DD673DF6A0B1C43830D89292826,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:13.428{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49771-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:15.124{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EAE56A237635F3E133157138157DCE9,SHA256=C92E736EE57C32D2D9A0AA9F3A3B3CB7CD36D6C9700341D888D789C9D8B81C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:15.821{5EBD8912-BF53-6156-2600-000000000002}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20211001075708-004MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:15.351{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14288A78752AB03737E000D3BD3E8288,SHA256=1606433824D910DFC011EC27EC8F55D67072DA9C7659BD67CEC66FAA29C97E07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:16.359{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACF973B44D4466A4929E38F4CA93AFDF,SHA256=23A52E6454528BD051A38D432C8A668D840EAF69AC17B25E2E1227524313FD2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:14.194{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61824-false10.0.1.12-8000- 23542300x80000000000000001763583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:16.354{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B25344F50C0BC10B1BEC865F86251D4A,SHA256=85549AE67E7B9792CCEA666A350E36496C9D26656CF7A9FE20BC00584623E67E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:17.354{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F969392A4F6222F8BBCE53B1871434AF,SHA256=9999EBF90710A4A090576C37110198E05F52A1D33949FE2D4495AC0A5C12DC4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:17.438{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1004F4EE1ABB78BC2AE54C7739869E5C,SHA256=D08013531B49D01F75D6F6344F3026C8A57FCCDC4ADA2DABF8767359E2EBA6EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:18.572{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=327D340C7B6B7B0E4921FDEE29109AA6,SHA256=FF78ED9DD41A434987BA3A587A7819CF87364E0A0CD3B68D921E6AB080469ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:18.572{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC772A9CF3EF5F33B1B35AD2700DED7D,SHA256=C649187E1F027035C5DCC2AF3746D0D2F8B3171614585871B7B878EA4AF62BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:18.385{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EF0D825C8693FD06C1DE8C2DF8FD6F,SHA256=2A1B345191BA007E35B4F1B5EA63FE4CE8451F4566D0DCED29F1A81B174ED91B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:18.454{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358F31FFF797E56FE581D67DC59C3DA6,SHA256=3BE520904EE9A6C88C3A73073980AC14B4EA4467BE25C2BDCF4579D8BA582968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:19.470{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3876471D7AE9C098D2B1AD1E592EAC4B,SHA256=9D9757547EC6E238E9EDCB0C63B14769453F6E0E052354CE592FAE3C7EA3FA10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:19.385{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F332B90F10C46C47769B19D3A1F0C5AA,SHA256=A427C7B7F1FC7B14B9D42A0C774EDBE30BE0C6F12092CE35D73F23B8842A23F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:20.596{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F66CEC5A56C123440C3EECB94D625C18,SHA256=EF1AACF294C923048BE68DBD4E86EF042DDEFB8347ED29AA30246268BF5C5E8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:20.822{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C050-6156-BC00-000000000002}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:20.822{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:20.822{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:20.822{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:20.822{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:20.822{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C050-6156-BC00-000000000002}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:20.822{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C050-6156-BC00-000000000002}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:20.823{5EBD8912-C050-6156-BC00-000000000002}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:20.682{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=327D340C7B6B7B0E4921FDEE29109AA6,SHA256=FF78ED9DD41A434987BA3A587A7819CF87364E0A0CD3B68D921E6AB080469ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:20.400{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=801756A19FDA7016F4A0A91701271865,SHA256=16D3E1F088789E75507464CA0F86C285C3C2CA3C60E453B487AA3FE2436D5E74,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:18.506{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49772-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:21.659{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD688BE8A2B0A735C771FD6D7C854E7,SHA256=99D40CE3EC38CDC750164BA5C346A982CA58887B9E75D636A739BCAB3CA2576C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:21.822{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC4B10D9D650C001AC8971DA8DB21875,SHA256=D5B7C800D942F8C7F2C990CCA27B4558E141226FBE594AA7C9E3080B598932CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:21.807{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C051-6156-BD00-000000000002}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:21.807{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:21.807{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:21.807{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:21.807{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:21.807{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C051-6156-BD00-000000000002}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:21.807{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C051-6156-BD00-000000000002}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:21.807{5EBD8912-C051-6156-BD00-000000000002}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001763601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:20.133{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61825-false10.0.1.12-8000- 23542300x80000000000000001763600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:21.432{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E7289CA93263C15244C25EF2398CA27,SHA256=8B5E0844AA714FCFE15AC94D181B4EB0E1BDF5A0DCC045C58E6EF5FF30DB8E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:22.847{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5018F8033BC30C5FFD9C863564804B12,SHA256=4959A651DE388BDFD69F77C53D2BC30A13E3CCB8F222939046FA82CF4CFE445F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:21.009{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61826-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001763621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:21.009{5EBD8912-BF53-6156-2300-000000000002}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61826-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 10341000x80000000000000001763620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:22.713{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C052-6156-BE00-000000000002}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:22.713{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:22.713{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:22.713{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:22.713{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:22.713{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C052-6156-BE00-000000000002}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:22.713{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C052-6156-BE00-000000000002}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:22.714{5EBD8912-C052-6156-BE00-000000000002}5156C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:22.463{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7AB4AAA36D051D84A80F134FC5833E,SHA256=67CECF99DE490952C883BC20E70E0742F8134569B55AA17CC613517765BA0EAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:21.994{5EBD8912-C051-6156-BD00-000000000002}51965228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001763624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:23.729{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DA8E2456A9FCE35875C289959C88D48,SHA256=A4B6E75EA975799FA57A84C1CF9D2A113ABD0F861993E842C637CB2DBC872C1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:23.494{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25EE93A9CF9969A6830223D36C39E83,SHA256=C6FD3BBB77A1E02ED451B9C503C3E16235619FCE8E551BA121A3BDF936CEE6C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:24.994{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C054-6156-C000-000000000002}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:24.994{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:24.994{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:24.994{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:24.994{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:24.994{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C054-6156-C000-000000000002}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:24.994{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C054-6156-C000-000000000002}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:24.996{5EBD8912-C054-6156-C000-000000000002}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001763634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:24.603{5EBD8912-C054-6156-BF00-000000000002}35684340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001763633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:24.557{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11987C8D803A2334796730B6EAC1BDA3,SHA256=08BD04377AE08DE8F28C0A1987E7E18FB77636950FECE5DC4F43EE7E5EFE6249,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001669434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:01:24.707{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69a-0x879bdb70) 23542300x80000000000000001669433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:24.066{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9DC0388FCF8913AF037AB3F75224CA1,SHA256=1813D2541C5B8AACD45A5B6321FC97E50A2D429DBBDD02D15AAFA212D6505C90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:24.338{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C054-6156-BF00-000000000002}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:24.338{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:24.338{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:24.338{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:24.338{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:24.338{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C054-6156-BF00-000000000002}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:24.338{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C054-6156-BF00-000000000002}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:24.339{5EBD8912-C054-6156-BF00-000000000002}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001669435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:25.223{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCDD659CDB2CE1AE3B0F968E61961FFB,SHA256=14EBCD57AB020F9D769B56B7529430BDB84A2E949BC1BFDF76520FC49CB988F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:25.666{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D485E262C26ABC403A3C219923E76B0,SHA256=A0030240FD75B349F1F063C4EDE31FB8A6E6674DB2E965813B1A91147F84B54F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:25.369{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A65DE09502505A64AE12555C00A30A3B,SHA256=ABB5E533022CF77FC9A7F4B3FDA1F3714E48B38F922F2C82AAB33456B6309B5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:25.244{5EBD8912-C054-6156-C000-000000000002}34362216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001669437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:26.458{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00325509021838DCB10BCEF98DC29B1B,SHA256=4D03D674541C6F44455C5C61CE3AF28D8487D81DDF035BFE648F4689EE3952BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:26.682{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2918DB19D9CD2B32C6AFC15137BB1BE0,SHA256=478E6ABA4F7A06CD786A3E87DDAB2A520C87FE3128210D6265F452919D0B98A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:24.506{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49773-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001763654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:26.166{5EBD8912-C056-6156-C100-000000000002}45204292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:26.010{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C056-6156-C100-000000000002}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:26.010{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:26.010{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:26.010{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:26.010{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:26.010{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C056-6156-C100-000000000002}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:26.010{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C056-6156-C100-000000000002}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:26.010{5EBD8912-C056-6156-C100-000000000002}4520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001763666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:26.148{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61827-false10.0.1.12-8000- 10341000x80000000000000001763665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:27.791{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C057-6156-C200-000000000002}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:27.791{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:27.791{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:27.791{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:27.791{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:27.791{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C057-6156-C200-000000000002}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:27.791{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C057-6156-C200-000000000002}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:27.792{5EBD8912-C057-6156-C200-000000000002}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:27.697{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865F3FA47CF3DF467392FC174E9FF2B9,SHA256=0D68F4854AD53E2D4016BD3934CD90011E9A8F4BC0383DD9373DDA75091D66EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:27.599{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710F9D22563CF92FCAE3A55EB7A1C600,SHA256=963EDAA48590FFE304D3F6A52166056EE61AC52D0D2111E3A87AD2BF8B3175F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:27.057{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B596518E4EDCDFFC4B47169B9D0E93F,SHA256=12A9182CD0982A3F289B3E8DE5155D83C9FA0DDF26558B6A1396D66D80F4E101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:28.713{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B558DABFF863F17E328E335EA62AD336,SHA256=6D7AE82384AF1F3EFF2F1CC807742C7EEEFAE905C06B54FA6334D09B94F9C66F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:28.615{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F25FB41FB0650CAFEF8EF6DFA7676D,SHA256=EBA6473DA8348D96853CFFE4D7399FF20D6D751CAAA40AF83D7A56894B811D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:29.631{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD57E6A9D591786109D18F9E6FBCAFF6,SHA256=5FD8084C2676C90989B2DA090573387740E4A0FAF899BDBD947A4708E84331D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:29.728{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7480574A5321ED82D25BE421FA884E,SHA256=48013E7F89FA5238098DB815DEE48BAF4030BADED69830E2B93994AAF466BEF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:29.025{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B99225E9BDAB3CAE2F2EAF8F4B9D910A,SHA256=2B450625AD2E959A800B84F89DCF95A2BDB9C9963437F01CE0863A1FB2604AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:30.646{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79549509E2FA4F89303D8226509E3E0B,SHA256=42EB32D05EF2D8FD69EABBF5B4E8512E3EDAF3179EA4A4B7B893ADAB565F9E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:30.728{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1BBAE3E8A8D863596E9BF47CA14AB2,SHA256=C477BEDCC4FA58AD19B2DFC62273F6180A4DE7B3B3F483D1BD0546B90B40DB24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:31.744{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A20B0366AF2D1C439FED9E82C55B8E9,SHA256=45B9F7E301FC8E0A108C148155697B635AE40C8FC3354461B93A7DC2BDA356DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:31.662{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364481171C2BAF0D0A7CDAAAEEBA288A,SHA256=15C96ECD709D1BE89FEB39487589D5799179D863541B2431E5720F2883EF0177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:32.760{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3397EF8CF1C6A63AA6D6787FCFF96512,SHA256=5B0E5ED050E22357D8F3B94C6B15C6DE9751B48E0B1662D7AD2DAA22B2B124B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:32.678{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C9DA0172DDB3626A23D4FCCDA45FE1,SHA256=369FB7119680AC4C509870F96F0CB95F86823D00EB34DE1909562F653EE5800A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:30.537{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49774-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:33.694{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BB8569F14613914B3FF2FDBE141A24F,SHA256=E136C80F590031817050963A866CB1C999D042E0F99677B5DC095AEDB6283265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:33.775{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E5F80E7173493F74311B6619E7BD5A,SHA256=19F55BDB4083F01F2EA052FBA89D31E8929B0C527E040832B6D286FF6D027FB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:31.242{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61828-false10.0.1.12-8000- 23542300x80000000000000001669446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:34.710{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E21720C203BB1318CD241460B680B9,SHA256=1BD1417DA4416F31E4D92C1600F242FC0CE640E0E71CD852DAC25B73AEFC3558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:34.791{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37250F652A3E6BA7908681C38B712A4C,SHA256=96D61C8100EA333F5BDE8CAE24137F4E2F99DD2A7949F0FC544AECABF53193B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:35.726{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51ADD933B4F115192C3D5D1C3D29B32,SHA256=FD2763319FC27B9CB5DCFFDF27ED4F9DCBCC253432C8BF9C73C3469A5D4B44BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:35.807{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F757C912A91D392D45E00E10AB871074,SHA256=DA49716E1AE94F10A2AAD8D72C06397F4CA3808977CEEFA162A1708FC18BE5B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:36.741{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E588455667912D6AA8B58473743C7C9C,SHA256=413F72FC9F970ACC5DB7809C75AD8C47CE9C509C4780427EEAE61A9534DCBF1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:36.822{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C7E59E061123C7DCE9E5DB0AB76D72,SHA256=5D0447BD36290D7EA0EE62E24A13531DB28B8C4F32A4BA5CB01F1F4DBABF4354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:36.369{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E8B2347669D803955B3A58CE10B2B1F,SHA256=E2110D646AC46D0E80DF6E85F6BDFBE495885BC8875449A0AA92B3C7F6B5E0FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:36.369{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEE33B39233328EC14F30AA7B3B1B175,SHA256=9403B44AE9B11585CAA28F9B6045B506E279A6DED7988C40E1A17E488C439206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:37.757{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03996FE3CAC60F4449A9B2B762ED33C1,SHA256=BC4C23808514A919ABED02C18F6F75578D3A92F2140161652BEA9EA47FE91FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:37.822{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F52F75B00F0FC40A34DAC198F9123A,SHA256=0054CAEDE31C9E691B2DA7243A70B239E078EFF5C877116C03A764A4165767E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:36.506{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49775-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001763680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:34.917{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse209.124.239.182ip-209-124-239-182.static.eatel.net50434-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001669451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:38.773{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A76F16C34BEBFC211B04201DAF0D0A,SHA256=1305DA698DB5B42F539E9697CC14FC854D4404449E5BA55E1FA3C668190D521E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:38.838{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAAB62F774B16C68D85097FDDF7E204D,SHA256=7D94D5CBDDB230377A78461B91B9D5458CBE840CCA3240C53756B205421897F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:39.789{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E857A6D4BE034632EA0BE7226646431B,SHA256=990D8A3116E40B913BC389885ECBDB55EFBB62323353C760250A2A0D6C474FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:39.838{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC94768307788B31AD2F93EA963964B7,SHA256=C875E9652D73EA974511CCBEE5F5E86ECBFE3B880D09E1F2B168CBAA3F06DB6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:37.195{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61829-false10.0.1.12-8000- 23542300x80000000000000001669453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:40.805{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BC292830DE0EF8D2091BEF222BC5C53,SHA256=2D1ED5FC0BCA1B410A17D8062DA66B632F007480028E4242C5040CCFCACB05F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:40.853{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C1E84E3B0F8ED2A697A3256C7B6062,SHA256=7F1C38CBF6C906B6A06B4AE76DC84230E9DE2A30362BBFB2FD6AB929DED4D7E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:41.820{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F760AACD28115E491D92144E909B2E7B,SHA256=CB95979CDF749FAF4345E078510A998F386AA5DD55498F8655287CF58F4C4D6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:41.853{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95A9280372430093D737944B8BE3A29,SHA256=2FDEA8B50A0794D49C46533702AF6AA0989EEE198B6FC45438443A750C94D310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:42.869{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3457F1C8211D74242B042B9B5D5E13,SHA256=7182423BCD72A2B48C40AF7D648A8451F9E244C2ECB19A3E1CE1472A4EB67DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:43.885{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2DDAD7F0BF3375312F7C167CC26B625,SHA256=BB255C21297F4CB39E6EF8972D1E495159CD6AEB291B4952CC8F0213E99DEA79,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:42.506{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49776-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:43.055{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FBAEE49BB651D74C9B5720D93542B1A,SHA256=DD2554F464C288CFD7009C7A37EE2B0B8EEBB2D591A60C0E6A15ED1221574BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:44.900{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4C09CC25D21D669D2392D10FE749420,SHA256=DFA08D86049193D92184790A8577D4FD2C36FE4FE5EBD975457D7AD8CEC864F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:44.289{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC1A8189EA0E521797AD861E7D9E140A,SHA256=35CC7AC1C5AF05DD0059A39C0EDAA5C867485B588663AA8D6C0B556B1B73E9BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:43.086{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61830-false10.0.1.12-8000- 23542300x80000000000000001763691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:45.916{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=016909F5D23DE9B9DCBC76690A4E74C8,SHA256=D6333B57F5123C213A5119ECF65B501EB7F95E6E5DA049882B5ECD7D4C8888AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:45.524{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B66F21AB355C207F4F5224524C94438,SHA256=E22F781B0D802C832D4402973661F87EAD66E734AF734A5689E32E1A3D5A6FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:46.933{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F6B579FEE197221EF98B2CF9BDD1DA,SHA256=6C45DBF36E4D7FC9451D0CDAE369C3FD835E177C6C9CF5E55CC28C1AB47FF750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:46.758{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=630E7B0EF1E6C3B654EDC6E9CDC95C52,SHA256=EE5BA01DFC1D2E7060271C42D62679AC182F527096A50DB1FFF0A37E4BB2BF25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:47.947{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748F751E03626079494C34A81D175070,SHA256=95E539D6D89497184B610BA9DA0668E0977D586023981043CCBCB05E47A831E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:47.899{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC71174AB6D8FFD868D0466F549573C,SHA256=304746E55354AC638E533D858DD21DE131A4B5F10BFFA8BB8160DF04AF9B665B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:48.963{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D48E424C77AE6BDC446F8CD2CA2A62,SHA256=84C595C2101350882B828E7C67263FC3A0810D5AB764BBC6191BFD8F1BAD7520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:48.915{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E747EC400C0538873A7D1C68D21465,SHA256=D155985051EE07FE6374F356ADE36BB5FCC3E592839CE77E712D4C8857D6D8C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:48.243{69CF5F33-BF40-6156-1100-000000000002}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EB14541C667D418069E610B3E542DB5D,SHA256=38B69BC550B50094263096CB6248038D2AB50C5925D7D428BDD05D98A1E0826D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:49.978{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CE8D9C52B2C1C1AD35A937C28169AD,SHA256=CE0F800A8A2FEB16CCB51D3090416CF32622714C19D2795580B065B007672A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:49.962{69CF5F33-BF40-6156-1600-000000000002}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=18DCA784E52BC713C39EAD385C1E88EE,SHA256=4B78842684F71698234B2BF435DEEA0D7A5597418DD713C3C899E61334872CC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:49.930{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C833367E846DA30A79F90EB20B78918B,SHA256=2FFADEF270EC30CCB4F260DD3348CEDE83A2BF8C7E31E98A76E6E80571E83A59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:49.930{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-C06D-6156-9400-000000000002}2012C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001763695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:48.258{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61831-false10.0.1.12-8000- 10341000x80000000000000001669478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:49.915{69CF5F33-C06D-6156-9500-000000000002}31841888C:\Windows\system32\conhost.exe{69CF5F33-C06D-6156-9400-000000000002}2012C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:49.899{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C06D-6156-9500-000000000002}3184C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:49.899{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:49.899{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:49.899{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:49.899{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:49.899{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:49.899{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:49.899{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:49.899{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:49.899{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:49.899{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C06D-6156-9400-000000000002}2012C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:49.899{69CF5F33-BF40-6156-1600-000000000002}12041344C:\Windows\system32\svchost.exe{69CF5F33-C06D-6156-9400-000000000002}2012C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e0a4|c:\windows\system32\UBPM.dll+11662|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:49.899{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:49.899{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001669463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:47.537{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49777-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001763697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:50.994{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3834375CF42A9E41B7B6230B661524A,SHA256=FE76D276926267A1F293DE18B5B4F099F44EEEA2DBA2C778CFC766511336B45B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:50.932{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EADB7F487F3E7DD2E8ED827CF3B52903,SHA256=791D277CB82BC6FE09720EE92A10839B62283BFF82058BA531A8EA67852309C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:50.916{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4235B8C815FEB1B9C05B5230158D0F35,SHA256=0ED8975571D03ED56847960E6BFA4D2EED6BEC631F12A38AE13C50D782F29FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:50.916{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=750716D473AFDA4930BE49032DE91E2A,SHA256=F16881603A73A6BF75B536C63AE9B37CBF530D827E3FF275C00A813B4A46C1A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:50.477{69CF5F33-BF40-6156-1600-000000000002}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF4ad92.TMPMD5=57FE73109F0FED38767C9CC867212B09,SHA256=8E0E90AB78817CCEBE78239C06C7A0A2D7787A7C46AB3902E8A30C000E81674E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:50.430{69CF5F33-BF40-6156-1600-000000000002}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF4ad63.TMPMD5=90543379E34A51CAD2EDBB40AD8DF202,SHA256=811C33B136E7E1F159FEBD5BC20AA5110C0FFFC0CD15A528338B4A469880E48A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:50.383{69CF5F33-BF40-6156-1600-000000000002}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF4ad34.TMPMD5=065774C374A11D1ACC5E853F9ED9603D,SHA256=E2F4D70FAEA162E407EF207FA9DA3E4205C0022A74A0326106A122DF9018A902,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001669497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:01:50.258{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000000) 13241300x80000000000000001669496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:01:50.258{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0004acb7) 13241300x80000000000000001669495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:01:50.258{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b613-0x2cd65faa) 13241300x80000000000000001669494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:01:50.258{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b69a-0x879bdb70) 13241300x80000000000000001669493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:01:50.258{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b718-0x421df370) 10341000x80000000000000001669492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:50.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-0F00-000000000002}948C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001669491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:50.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:50.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:50.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:50.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:50.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:50.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001669485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:50.180{69CF5F33-BF40-6156-1600-000000000002}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF4ac69.TMPMD5=1173670E6B61D7C6FF96F0021CFAB897,SHA256=082C4454729BBB85F14B5D018B59A31B2196B22BB2C68A4B8B8FD1A9E81AB6DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:50.133{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:50.133{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:50.071{69CF5F33-BF40-6156-1600-000000000002}12042496C:\Windows\system32\svchost.exe{69CF5F33-C06D-6156-9400-000000000002}2012C:\Windows\system32\usoclient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\usocore.dll+210d2|c:\windows\system32\usocore.dll+15924|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001763700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:51.994{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065A6D3A951888AF433A1E426E481EC6,SHA256=783BC7E25B171EFA707BEE762922DD44C91AD29035FDF4D87E1AEA07557B7872,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:50.257{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54263666- 23542300x80000000000000001669506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:51.936{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EE8CA48AEC0171A50618B4BF9BF7FDF,SHA256=2BEC8502725E3A95D970F78495A76A581A93C09412D41FCA623A617236EFB210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:51.900{5EBD8912-BF43-6156-1200-000000000002}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8743761054EBAAB0F1765EF4BF741A1D,SHA256=08789B0D9C54E662544093F4C97FC4B1BC69390AC2D7D6A70E48580C2BDBAFAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:51.046{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BCA805824C56E9DBEA00ACA96686726F,SHA256=3EFCC9F33D4C1BB7EB799E1CCC7C77BE6C2147A041CB508CA222837DECB4F5CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:51.044{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2C4F718FC206935BBC02DC4A6E5EBE2A,SHA256=04A8D2B796FF2C49DAA2DCA9B496DD9D554609DF22DCAA8FAAA536B54596DE64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:52.952{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47023D04907CD72C3F4410B073B7369,SHA256=AE96D8273F76AD29BC2C8910DE2BDAF43500C7640FDEB592A096D582B4D5ABF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:51.507{69CF5F33-BF42-6156-3A00-000000000002}2772C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49782-false169.254.169.254-80http 354300x80000000000000001669510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:51.406{69CF5F33-BF42-6156-3A00-000000000002}2772C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49781-false169.254.169.254-80http 354300x80000000000000001669509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:51.351{69CF5F33-BF42-6156-3A00-000000000002}2772C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49780-false169.254.169.254-80http 354300x80000000000000001669508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:51.350{69CF5F33-BF42-6156-3A00-000000000002}2772C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49779-false169.254.169.254-80http 354300x80000000000000001669507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:50.638{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49778-false20.73.194.208-443https 23542300x80000000000000001669513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:53.968{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF9F644712661B79A035BBDDA1B8933C,SHA256=6B0938D0139F2B1A23539EE05B2F973EABD7BA38C1C82DAB0B40CFC8E0DE7F36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:53.885{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CEEF43F699E5B47F67C10D8926679845,SHA256=5D7E3473AA97D13EE4D11BC0DAB10A42F32E34629BB823C66903DDF1C9269E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:53.885{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E809C362FEFB7D3636C2CAA8F02C5382,SHA256=759E807E63F814BE54CF832960A7D82EFC67D528171F2B7895A534ACE4B11B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:53.010{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A4F52D72A216D684F09B50FD5DDFB3,SHA256=9F70ECB6C7BD666023FF7091650C10AEEA67EBD35857D48C6809292142161FE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:54.983{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6590435D527FCD2DC5A661C3264DC1E,SHA256=BDBCB53B01004371244959224C5191C7CE8646E15214501281BCC819113B9BCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:54.572{5EBD8912-BF53-6156-2C00-000000000002}3016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:52.203{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54252539- 23542300x80000000000000001763704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:54.010{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D06635A45E9FF2A015D81B10D8DA566,SHA256=7E9B320C848F5C83E41A021BF354243182EA0857B809AD2B42E5CADE65891EB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:52.589{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49783-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001763709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:54.554{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61833-false10.0.1.12-8089- 354300x80000000000000001763708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:54.132{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61832-false10.0.1.12-8000- 23542300x80000000000000001763707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:55.025{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69773AE405510BF863B389E67B0C12C4,SHA256=44DFEF8E834BF2E12EC4580A8D569CDF5647939CE424F6A9DD00F13607E9F782,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:55.405{69CF5F33-BF40-6156-0D00-000000000002}824844C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-0E00-000000000002}912C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:55.405{69CF5F33-BF40-6156-0D00-000000000002}824844C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-0E00-000000000002}912C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001669519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:56.891{69CF5F33-BF40-6156-1C00-000000000002}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20211001075651-004MD5=E2350FF87285264FC2F693171FD6908F,SHA256=DD0C2B6A4BAA6FC008B19D4F8AE41D7B35D93255AA75D9D1AFF144D5A1F933A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:55.999{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD4C03713E1502EF84A139650F70DD7,SHA256=F05154C676B9AC2A5D8EA20A0FAF05AAB19A6D67B697DCAA61D2AB8CECF55496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:56.041{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D50F4885DC102702D32D96CAD5CA689,SHA256=BFB1898741EFD2867126388A914DF9B94C32E4ECDC62E211FAC406F926AD69F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:57.041{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051756F8BDA43B8BCA5F41C61317BBF9,SHA256=5BE8582B0B64416BB870C8F92CE7B42DCC51A4070A8A812C8AB0C7B2AE617252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:57.906{69CF5F33-BF40-6156-1C00-000000000002}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20211001075649-005MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:57.842{69CF5F33-BF40-6156-1A00-000000000002}1872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:57.014{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20C34C4235FF3CEB3A069906FB40FA08,SHA256=2C956CC57150EBD9A95680A76BC0CAA2987E12C89B70EBF7A3B0CF432ADA0666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:58.056{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=623408605FC7D0966C0D240F8D932F5C,SHA256=3681C25CBA65E6204677754056B37101F5E256472FDEB6BB54C052C7AB96B076,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:57.604{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49784-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:58.027{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E194827C593FDFA5747B9335A7B1E4,SHA256=5C774ECA830ED287222A68C0729EEAA07460107114E45061BB496B3D38ABAC8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:58.214{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49785-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001669525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:01:59.030{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D16C2AA8DF1D235C42A83BD3652916,SHA256=3512942DD34CEE5C77A914E17D9158C20131807E0251E72D1C30397B54107690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:59.431{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B04ED21D0406973D7C042D6C4C2B7197,SHA256=49CEEA8F26ACE1750B6948E98514366188C4E7DA3F26629FA4C81B82C23EF89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:59.431{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CEEF43F699E5B47F67C10D8926679845,SHA256=5D7E3473AA97D13EE4D11BC0DAB10A42F32E34629BB823C66903DDF1C9269E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:01:59.072{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AABDE14B3B0FB8DFF38513A2E5E1A69,SHA256=23F21828EE53F4744EEEC68AF28A2AB493491906B8FA30BB4C026E407BDCFD52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.889{69CF5F33-C078-6156-9700-000000000002}33563888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.717{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C078-6156-9700-000000000002}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.717{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.717{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.717{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.717{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.717{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.717{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.717{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.717{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.717{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.717{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C078-6156-9700-000000000002}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.717{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C078-6156-9700-000000000002}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.718{69CF5F33-C078-6156-9700-000000000002}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001669540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.045{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74DC812587358DDC42E8B6C23E938003,SHA256=1B2017A4B673FFE29ACC1CB153D65A754EE2020FB9B472BEDEE4233C08A4827B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.045{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C078-6156-9600-000000000002}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.045{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.045{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.045{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.045{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.045{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.045{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.045{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.045{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.045{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.045{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C078-6156-9600-000000000002}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.045{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C078-6156-9600-000000000002}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:00.046{69CF5F33-C078-6156-9600-000000000002}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:00.088{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA6BD9A2690D8E058CC2A672E0B950A,SHA256=F35ED04FB6E20058DE47B89E9D9BB1C4958567BB9857CFAFED53F96D564B0FE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:01.103{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D0A3F64BC2D44873DB525B103875D1D,SHA256=F702AD9AE639E80E2A9CB9FAC9A02D0CF1965DDF7FE75FCCA6239DFB2F1C26A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:01.701{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C079-6156-9800-000000000002}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:01.701{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:01.701{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:01.701{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:01.701{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:01.701{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:01.701{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:01.701{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:01.701{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:01.701{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:01.701{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C079-6156-9800-000000000002}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:01.701{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C079-6156-9800-000000000002}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:01.702{69CF5F33-C079-6156-9800-000000000002}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001669557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:01.498{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=343EAA22A5C7A0815138020F42D37C3A,SHA256=BD3B3F96186C49ED6C4CD5098DE380EC195005F8785389E54D03A5B06227820B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:01.061{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5791DE500492026417D9CAE026E76AF9,SHA256=C4E119DABA87A85843F11BB0C499255A2C1B82AF515181342541D0B737CB8619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:01.061{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4235B8C815FEB1B9C05B5230158D0F35,SHA256=0ED8975571D03ED56847960E6BFA4D2EED6BEC631F12A38AE13C50D782F29FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:02.103{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2F6EC7D53DD551798095AA1F2898B3,SHA256=14232357D891280EE5678F1485C5D3014038E057888F6C057584007F46525ED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:02.779{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5791DE500492026417D9CAE026E76AF9,SHA256=C4E119DABA87A85843F11BB0C499255A2C1B82AF515181342541D0B737CB8619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:02.076{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41289DA2CDC22EF3FF4A8723D6BD02F7,SHA256=21C5AB94CB7B78DF0E05CB810CAF79B6D075D4BD5BADC69FF8433B4E4045ECC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:03.404{69CF5F33-C07B-6156-9900-000000000002}31282888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:03.264{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C07B-6156-9900-000000000002}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:03.264{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:03.264{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:03.264{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:03.264{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:03.264{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:03.264{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:03.264{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:03.264{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:03.264{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:03.264{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C07B-6156-9900-000000000002}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:03.264{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C07B-6156-9900-000000000002}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:03.265{69CF5F33-C07B-6156-9900-000000000002}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001669573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:03.092{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF58AB7791D7E3F9A73D77FDE3460FC2,SHA256=B9C5FB0D886E8FC9DF938C60C7420B66BD861A129FA3DD1223473B55A1382131,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:00.164{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61834-false10.0.1.12-8000- 23542300x80000000000000001763719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:03.119{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6064FA1E9851836DD0209209F1BAFC52,SHA256=716AAA63BB69FDB141E5F3DB66462FF4256110F7779562C437EB4FCA3CEE7AD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:03.479{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49786-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001669603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.498{69CF5F33-C07C-6156-9A00-000000000002}23603204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001669602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.373{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6D53E6EE318DB031B32C05AA4969EF1,SHA256=2ECF4491DC0C63A092069C5EB39D3066061E2E1DB96A82A0CD38DEC80544741B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.326{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C07C-6156-9A00-000000000002}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.326{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.326{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.326{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.326{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.326{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.326{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.326{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.326{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.326{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.326{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C07C-6156-9A00-000000000002}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.326{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C07C-6156-9A00-000000000002}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.327{69CF5F33-C07C-6156-9A00-000000000002}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001669588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.107{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A58FB9E734A2CE73E9E98C5389364D3,SHA256=1848A0EE771C36DF09F9096BF4A899788796425ADA5D17E5EC22471DCD4AE8A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:04.134{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE5BAC3240E29BA3FE61A28D5FA0B79,SHA256=70CCD440A2163BB8DDA8B50B8EB378707449A96697D8E78A80D5667CBF3BFB6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:05.150{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BAD3A7EF80883A6E10DE2157722C125,SHA256=EB503313679C638663F1556D5044CA674066A798B0ED6EE4CDC53D9E5F6F786B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:05.545{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA4012108BE5006EC7B63CA715C8EF9,SHA256=CFBCF9F137318CDA382FF223036B9921377A0AA157EBCFA3A017620B971723D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:05.139{69CF5F33-C07C-6156-9B00-000000000002}39243132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.998{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C07C-6156-9B00-000000000002}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.998{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.998{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.998{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.998{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.998{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.998{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.998{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.998{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.998{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.998{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C07C-6156-9B00-000000000002}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.998{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C07C-6156-9B00-000000000002}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:04.999{69CF5F33-C07C-6156-9B00-000000000002}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001669634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:06.576{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C07E-6156-9C00-000000000002}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:06.576{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:06.576{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:06.576{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:06.576{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:06.576{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:06.576{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:06.576{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:06.576{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:06.576{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:06.576{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C07E-6156-9C00-000000000002}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:06.576{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C07E-6156-9C00-000000000002}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:06.577{69CF5F33-C07E-6156-9C00-000000000002}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001669621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:06.279{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63ED593BEE3D9C67E5E3240B3AA1F5D7,SHA256=9DEC2F5E98DD2B6B64930A41144CF0DCCE3EB85BE53F879DD474BBEBDD39ED04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:06.150{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1496E39A0DDE5443B247850838E76516,SHA256=ED6B337E1A6ABD5420B513818007B87A5438F7268DAB846557C3A7942A6BA9DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:06.029{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73EC051FA3EB364E0DA4826939BA769F,SHA256=9C48A208539DAECD3E8A930CFFCBC1C3CE202059D16DD07EBBFF9FE9C7581770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:07.623{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8657E3A81D392F97126051683CC3DA6,SHA256=7F9D99A773C9F9E2C34EDB556EC80F2B34DE736CE347C2F2053185DA2DE14EE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:07.513{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9A3EB4DAF6800A39478C03EE50311D,SHA256=A24332D55F217230A894BF409B811060A9D97F570F48B2B7704A6A224576761F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:05.227{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61835-false10.0.1.12-8000- 23542300x80000000000000001763724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:07.166{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6E8E9726865A3E57D4333DCF503F37,SHA256=5A8206E55DE82195E1DFFD7377CD4DE14B37F6B63E788958BB1C2F7244797641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:08.748{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4287C7338D63C53B1A9849FAE15FCFDD,SHA256=C0AF96402A74E860990ADD609E017AD18977F6BF695BC73E5C6F23F591C35542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:08.181{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF541FF5A8BDB8EEA925338319F5FE1,SHA256=7E07D78F3CBE22F6F91B9194461C35D9B9045A761D8BF44D93B0A4AA9185B5AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:09.982{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=041387ACD7C1E0C17F1ED14222189E13,SHA256=40E51A3CDF268EAAEB0FA75418968231A0CC582698D5C2984A0C294261A62CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:09.197{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CABFE51CA7ACA63ACDBED15261C5DEF2,SHA256=2787226B635E5A26503F5EBEA24E27F7440144F95830715D382D7BA7E6B33C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:10.213{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D6BC973A41B0BB215EDC0E1114A33D,SHA256=F95918B90CD1E439700AFC803BE30FE88E38EE46A1E2C859242C67C506831570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:11.222{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61FF0704580CA104D75EAC6A19FD953B,SHA256=66F349364B43977FA39B443965F0384AC31661A1D4FBE5CDB4802AC7C3BAD97B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:08.542{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49787-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:11.216{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CC5856EEA2915F4A63EE42877C28C01,SHA256=911D4BAE65E4314BE0A95BE9460DF905C778B9176717D0305C4F15ABB46B6085,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001669642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:02:12.716{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69a-0xa4397034) 23542300x80000000000000001669641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:12.232{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71FD116061DC77FA832931C6E62E695C,SHA256=C89F5FD4E91AEB5E94089858C39E09FFE45FE75EDA7DB052B59CC1D9871ADD23,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:10.607{5EBD8912-BF55-6156-4000-000000000002}3472C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61839-false169.254.169.254-80http 354300x80000000000000001763733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:10.529{5EBD8912-BF55-6156-4000-000000000002}3472C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61838-false169.254.169.254-80http 354300x80000000000000001763732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:10.494{5EBD8912-BF55-6156-4000-000000000002}3472C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61837-false169.254.169.254-80http 354300x80000000000000001763731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:10.493{5EBD8912-BF55-6156-4000-000000000002}3472C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61836-false169.254.169.254-80http 23542300x80000000000000001763730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:12.269{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F298C697A1B58B415F92D23519C6628,SHA256=76DD1B006F62DDAD5C0532CFD9FABC24854C5119A7674E76ADCE05D6CF3894E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:11.017{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61840-false10.0.1.12-8000- 23542300x80000000000000001763735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:13.269{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E80ECA21B588B49D1E15F4AA7DF480,SHA256=027B289D301263FDC86E1137690E993172898EF805E6C22AEDB0DF44A5E4DE91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:13.247{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A4BF17F18F717626A98B121F03BC90,SHA256=3A449391FE63322C505F84408C7A52911913A0B2A1CFE242EE6E4968A02801D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:14.316{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9830DAF117551BF9C1A6D4348B15665E,SHA256=9DD0BBEBA531F461237035C968D8F50E72DD49590BA2D078F87B7FE94B999AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:14.263{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E9A92C575693110B4D14BE5F7FB2D8B,SHA256=6B0F80BD780EC1540FE1D055E15B952BEF4721A91859DC80DC6746BFC0952800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:15.347{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B19DDEA919F72B693A7767CEC0D8C3F9,SHA256=EA089E5DB8BB68C5717E5776BB064E89630EA9436F0F56EF98BC86CDD9FF7B4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:13.557{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49788-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:15.278{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C718EAED9D39C53CD1A0A6AC981D06,SHA256=ACEFD2D62A85B1CD12DB0DDCA3C8BC5BB018B15B49068808FC384C34ADAD8CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:16.350{5EBD8912-BF53-6156-2600-000000000002}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20211001075710-004MD5=E961008872A85D9E7B2EDCDB9076BE5A,SHA256=4C7B4263F3F8553ACCFCCC53A0FA56737D447810FFCB4A43A3BA8D688A9FDFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:16.350{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD85A39C7CA7B793DE2D06A1CC567AC,SHA256=6B79619C9D9B44A4FCEB6BCC19EE7DCFD9D80E09373FE9D64052513AA073813D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:16.294{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43191CAF37D8317C3848F368666CA9B,SHA256=381AE38649D824BBB401F798FA364D46A7B8919EB59FE9839DCF218EFCD79194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:17.358{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B373E41BAF1E5947B0A3BADB653DB840,SHA256=83BD709F9DA55D96B7880CCFEC639CB7893B7806D8504C99C46D7EF20F773777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:17.309{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064B8746E5175B93060CC41B193650C5,SHA256=40436D0514E6E16DDD1AD9A27B6F2E10E5964BF928310BE050E6DE3A22AF69AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:17.349{5EBD8912-BF53-6156-2600-000000000002}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20211001075708-005MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:16.095{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61841-false10.0.1.12-8000- 23542300x80000000000000001763743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:18.443{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B57CE88E624EE14B27192B130B9B686,SHA256=508F96B8CE139A58918CE00ADC444056DE266B5844862E32CD3B53C56A891CC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:18.325{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1544B185A82C46BB9165119ED2F86030,SHA256=E775430C2FEFC292D6E906A647611AC52E8124AA0007688CC392809E35164953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:19.443{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D2F2E96DC667710B661EB18F96CD807,SHA256=E572C544C836C312E555A157818723F0256FC812D27D0E291292D2E19F70117F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:19.325{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A076B81E03DCE440CE1D462E0CA7C281,SHA256=7FA7E8F27A3A00873C4492E0805116F2908729DF9E7708CD74D08560848B5B88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:20.756{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C08C-6156-C300-000000000002}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:20.756{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:20.756{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:20.756{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:20.756{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:20.756{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C08C-6156-C300-000000000002}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:20.756{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C08C-6156-C300-000000000002}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:20.757{5EBD8912-C08C-6156-C300-000000000002}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:20.506{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C067371CAE22200DD04B55ECC711752,SHA256=B4BE1F2E9FABF96748A7DF3E21EA005F207C008D382D12A7EEC3BF3630E44156,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:19.479{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49789-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:20.340{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25435DD2CEDCC301B81923BEA22094F4,SHA256=63AD71772812D6BE119D02D708F8CBC03DC38F780973D792282BF3FA263721C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.881{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7106B8606679613EB54E79707970A311,SHA256=E75109D99D33DB0D1C46CED0C0811D3D265E0243A8BB4AC079F73A7D53887458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.881{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E8B2347669D803955B3A58CE10B2B1F,SHA256=E2110D646AC46D0E80DF6E85F6BDFBE495885BC8875449A0AA92B3C7F6B5E0FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.803{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C08D-6156-C400-000000000002}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.803{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.803{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.803{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.803{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.803{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C08D-6156-C400-000000000002}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.803{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C08D-6156-C400-000000000002}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.803{5EBD8912-C08D-6156-C400-000000000002}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.631{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CDAABCABE20C2C52EBE39777A72E00AE,SHA256=5ACDDEF13B6A4937190089198CF6F0093D61CCAFD1D660DE06E457B960275971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.615{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EE2459026D4A2142EBA6DD26EEC6016D,SHA256=56DF1DA6A366D931F5264D179CF338F737D2CC13AE0A9958C12BBF94641D7A9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.568{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EE2459026D4A2142EBA6DD26EEC6016D,SHA256=56DF1DA6A366D931F5264D179CF338F737D2CC13AE0A9958C12BBF94641D7A9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.553{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9B620A2FEEE426546018E69C150BB3C5,SHA256=7A6FAE6D8EA0FABD6EB2BD8A07855B820916A28383C1163FBEEB06296C8079A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.521{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DFS ReplicationMD5=2866FD095952D9E6886D901B50141D2D,SHA256=A35979E70378DA134D3EFD0278BAF4F2FA04D725CDF178DE4FE83EA7AB24E690,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000001763764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-10-01 08:02:21.521{5EBD8912-BF53-6156-2B00-000000000002}2960\Winsock2\CatalogChangeListener-b90-0C:\Windows\system32\DFSRs.exe 10341000x80000000000000001763763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.521{5EBD8912-BF43-6156-1100-000000000002}4441560C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001763762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.506{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94266F76C89200C6AF07504E6365C61E,SHA256=E66818EBF947DE93168E453A08E4B91B96FA6643BC12886FE17697830BC93C68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.506{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.506{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001669653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:21.355{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC8227D42081C21CB763C7B2CB4D24A0,SHA256=A9B752DA1E3BBA7389076C8B5C1CA84AA39619145EB08B1BB7EAA22336A5982F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001763759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 08:02:21.475{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001763758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 08:02:21.459{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001763757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 08:02:21.459{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x80000000000000001763756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.443{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DFS ReplicationMD5=7641957237BEEE27A6762FB1156F8F9A,SHA256=88B3A107B5D0B29A79569A390BA63F80BF642C48EFA66394F817A09B1FAE2FEB,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001763755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.428{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\System32\dfsrs.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 354300x80000000000000001763805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.532{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61851-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001763804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.532{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61851-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001763803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.522{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61850-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001763802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.521{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61850-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 10341000x80000000000000001763801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:22.709{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C08E-6156-C500-000000000002}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:22.709{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:22.709{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:22.709{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:22.709{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:22.709{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C08E-6156-C500-000000000002}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:22.709{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C08E-6156-C500-000000000002}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:22.710{5EBD8912-C08E-6156-C500-000000000002}6116C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001669654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:22.371{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34BD27A5F4821C527895B66CCD37DDC3,SHA256=99C44BF19C159AB3EEACDEAA9C096F0653F89F91610464E1A5AAB933F8FF0F29,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.474{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61848-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001763792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.474{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61848-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001763791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.445{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61847-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001763790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.445{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61847-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001763789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.438{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61846-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001763788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.438{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61846-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001763787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.436{5EBD8912-BF43-6156-0D00-000000000002}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61845-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001763786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.436{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61845-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001763785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.426{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61844-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001763784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.426{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61844-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001763783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.129{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61843-false10.0.1.12-8000- 354300x80000000000000001763782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.020{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61842-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001763781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.020{5EBD8912-BF53-6156-2300-000000000002}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61842-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 10341000x80000000000000001763780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:22.053{5EBD8912-C08D-6156-C400-000000000002}24524540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001763813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:23.943{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7106B8606679613EB54E79707970A311,SHA256=E75109D99D33DB0D1C46CED0C0811D3D265E0243A8BB4AC079F73A7D53887458,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.670{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61853-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001763811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.669{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61853-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001763810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.656{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61852-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001763809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.656{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61852-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001763808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:23.787{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0CA91B2752A39D0B20692C0C7E20D67,SHA256=A9AEFD5D10BB3BB3B6AF01D2206D0970B39AAF16167CDFC0ED25DCC197A302D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:23.386{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=835263D9523DF5A2C71E57355D968384,SHA256=6309FD650B10E42EE988A83D10022891063904D709367C2D661D3854BE2E21B6,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001763807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:21.439{5EBD8912-BF53-6156-2B00-000000000002}2960win-dc-429.attackrange.local0fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\dfsrs.exe 23542300x80000000000000001763806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:23.021{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9234BC98A0D0D57669F08E784D326D89,SHA256=84EA6109D8CEC081AE608C900EFD0A6228E307378CB3BA275AA6491DDD33B348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:24.787{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B34AA6FDBDDA864BB341E9A18D4D0B77,SHA256=78FAD7E0492A42E65B126C24DBF15FE5AE9406BA3A36D9B79EB2E228E8B10875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:24.402{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B6CED5F12746326404D9FE1A5584620,SHA256=2D5885BCB39E6A697E4C4F8ACC1258920031A2B34554618354116784BE59ED90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:24.553{5EBD8912-C090-6156-C600-000000000002}53965392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:24.334{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C090-6156-C600-000000000002}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:24.334{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:24.334{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:24.334{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:24.334{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:24.334{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C090-6156-C600-000000000002}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:24.334{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C090-6156-C600-000000000002}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:24.334{5EBD8912-C090-6156-C600-000000000002}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001763842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:25.974{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C091-6156-C800-000000000002}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:25.974{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:25.974{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:25.974{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:25.974{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:25.974{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C091-6156-C800-000000000002}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:25.974{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C091-6156-C800-000000000002}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:25.976{5EBD8912-C091-6156-C800-000000000002}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:25.881{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C399657B16A7C1A03FCA89A0CFAA903,SHA256=FB8B9DC451959C247EA2581C8FEC5B87AF88C58DB6DE1502F299A312584CA68A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:25.417{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90BC1961920E24C69452515AF10D7A5,SHA256=A518A7FE30B577958D0C0B438E4E135BE8CB37B3AD1D92BA07BD43F4B0FBA162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:25.334{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=276A74DC273894887254D75F8CD24F22,SHA256=A3D446B443AC0AFC118C723EBD18648D5E9703B777A582A1C2271736F5F7AFD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:25.224{5EBD8912-C091-6156-C700-000000000002}51165128C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:25.006{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C091-6156-C700-000000000002}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:25.006{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:25.006{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:25.006{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:25.006{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:25.006{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C091-6156-C700-000000000002}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:25.006{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C091-6156-C700-000000000002}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:25.006{5EBD8912-C091-6156-C700-000000000002}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:26.896{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CEA4514FF197554DABAE6FE2197B2B8,SHA256=4669819C729E264105D5073F6D63A4D1D71FFD4996856738C99FAE2744C8FD3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:24.541{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49790-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:26.433{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA354D4FCEA246FA51F990BA30F6F61,SHA256=C6BCE25359F7EB44BBE921963F17B97FA7EAB5997F31B63889CE889CB0B29CEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:24.934{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-58701-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001763843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:26.146{5EBD8912-C091-6156-C800-000000000002}43045760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001763855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:27.928{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F97AC70E6100066BFA1E8E5E18CB63D1,SHA256=671CFDD83066702C218766B5BCC8C699D31781D0C29D30F978D3ED5B4E1EFFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:27.448{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F2C0861FBFF7DB83DF448C5A470750,SHA256=35B13A71C6A2105AF2607F1D45A6A42A45C7CCEED6938505110D639BED6297F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:27.803{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C093-6156-C900-000000000002}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:27.803{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:27.803{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:27.803{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:27.803{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:27.803{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C093-6156-C900-000000000002}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:27.803{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C093-6156-C900-000000000002}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:27.803{5EBD8912-C093-6156-C900-000000000002}5204C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:27.053{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=284BF65F990B72ED3D3A3FF8C4294773,SHA256=FC8445AF24B598E640940D632A114A6903B5053AD2C2AE60D594F6A239310F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:28.959{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=681E0C680E9F96A9B8BC2CB06DDD09C0,SHA256=9F9F9BBF5E628AF3FCFE9197D861BD03E37EB6DB824FB10383CD3A26F07833AC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001669662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:02:28.714{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69a-0xadc27dea) 23542300x80000000000000001669661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:28.464{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B61EEB6C9CEC56A192F4FD6B6B48A4B,SHA256=E62F4A0D4E769182F99DD3269374845E5C040E0732CEFEF8F0730D7DE9AA1501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:28.912{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0B4893ED75560D65642674D5DB46DC2,SHA256=C4E2187F9A0D4664B7AF5DA45279E2842AB9511839C6CC9E07B092F7B8EEBA97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:29.959{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC3A505B7D3683C076A874E16229776,SHA256=19AE45E16173CD9AE9388A6D1E825DCC7BA2356BFB378BCD59338143269F1CC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:29.479{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1564E098C4DE3B1EBD0DC8116EDBD890,SHA256=69076D5654D560E1D0DD3DAC2CA675B53E7FB6F1381A81E05A8520C03E30A089,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:27.082{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61854-false10.0.1.12-8000- 23542300x80000000000000001763860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:30.974{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B023A9730DB95E8B843F8674301436D0,SHA256=2F2A803B4131EB9519EA5BBF753228A0CBBA8F85A7A21C823CF68ED7C46DE5F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:29.588{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49791-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:30.495{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11A556C836482026610B2A31B9DAFA2,SHA256=CD4FB8BABC56A5BD5FAEE31E5AB638F66FF8B466D4B0AFF3442F6B2161C73DCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:31.990{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB69BCAC1A217911712DE34A14BA7956,SHA256=286F91E6CC50514138EBC487823BCBF7C45A21962EE731D495A9FEE784660412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:31.510{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C706E028FA80B14BC4AEF1943EED0B,SHA256=8DB67A24B06B58D11D8E3561824447F0EA325C4877925801C6A3DE4D556CF975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:32.525{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DB9E7857E8722BD4DD64D105B6456FB,SHA256=D95D85C8FE5D1DB4E56579549C05CB95DFF995A3A5BC5C59DB732F72FD375045,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001763864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:32.584{5EBD8912-BF41-6156-0B00-000000000002}636676C:\Windows\system32\lsass.exe{5EBD8912-BF3D-6156-0100-000000000002}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001763863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:32.584{5EBD8912-BF41-6156-0B00-000000000002}636676C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:32.584{5EBD8912-BF41-6156-0B00-000000000002}636676C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001669668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:33.541{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3CAAF0A68158393AC108BA8361AF31,SHA256=268D7413FEFB459915A6BDF38363E9FE20543C09E9CCB70A831463A5A5E9DC65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.709{5EBD8912-BF41-6156-0B00-000000000002}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnsMD5=1ED9955C15C95D865A46A537998C900F,SHA256=A28BE6F8BD9359291F4A7F554196F44D63B6A5B945818C2F739AF0C137FB0AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.709{5EBD8912-BF41-6156-0B00-000000000002}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnbMD5=76F248ADED9139A0886C6A437AF07F46,SHA256=64C3F298E1609114087713C34E2C7DE71F335647767095B2DB1A7C4973487594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.490{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CE259E0424E6A43D71C95E0638698E0,SHA256=FDB32EF3355C37ACF819987D6722F305929EAD864BB4AD2B348DFEF89A214F8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.021{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A58CD7E931193FADAB5C60B289E3AEB,SHA256=1736A6211F618DE2796D367060A9C3AF4B6825DD1511EB51C0CE2889C7BFC401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:34.556{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BE4F54C751B13C7D0792C31B51DF84C,SHA256=A5FCF23068F8E7FE60CA8D1A29F69276C5EAD4C796DBDDABB64B3DD10482FF2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:34.756{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95E2F8AFB0AE6821A23741A168689C24,SHA256=1AFD460CB67A8A0B25F912D001F7CBA09BA8DC891062AF5FEBA388700745A978,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.696{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local58934- 354300x80000000000000001763891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.695{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64462- 354300x80000000000000001763890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.695{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58520- 354300x80000000000000001763889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.694{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local56655- 354300x80000000000000001763888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.693{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65257- 354300x80000000000000001763887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.692{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local64106- 354300x80000000000000001763886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.691{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57374- 354300x80000000000000001763885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.690{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local60995- 354300x80000000000000001763884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.690{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local62530- 354300x80000000000000001763883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.688{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local57838- 354300x80000000000000001763882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.686{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local56268- 354300x80000000000000001763881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.685{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49633- 354300x80000000000000001763880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.677{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61860-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001763879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.677{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61860-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001763878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.677{5EBD8912-BF43-6156-0D00-000000000002}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61859-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001763877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.676{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61859-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001763876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:32.585{5EBD8912-BF3D-6156-0100-000000000002}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61858-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001763875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:32.585{5EBD8912-BF3D-6156-0100-000000000002}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61858-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001763874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:32.484{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local61857-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001763873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:32.484{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61857-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001763872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:32.476{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61856-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001763871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:32.476{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61856-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001763870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:32.238{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61855-false10.0.1.12-8000- 23542300x80000000000000001763869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:34.053{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1C9ACF6E1256CE999BC6D47110DDF8,SHA256=3EDDBD865AD1420334E54F879F0837B125C283F84643259449287719FE791FD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:35.572{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A942354F57051538355912F51ED4D0,SHA256=195655D00E23D67646DD27BF13159DC4D98399F25F0D9492CB6AB5BC6E44E9B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.707{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local62778- 354300x80000000000000001763904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.705{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local65425- 354300x80000000000000001763903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.705{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65009- 354300x80000000000000001763902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.703{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local62784- 354300x80000000000000001763901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.702{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49213- 354300x80000000000000001763900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.701{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local64644- 354300x80000000000000001763899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.700{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local65242- 354300x80000000000000001763898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.699{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local62123- 354300x80000000000000001763897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.698{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local63866- 354300x80000000000000001763896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.697{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59044- 354300x80000000000000001763895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.697{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50597- 23542300x80000000000000001763894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:35.068{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41159CCBDD93AD256FC2BAA8A29DF7C0,SHA256=8F30925E64266D8D98AA2A8CAD39F3C03F686BF4FB5A97E109FA6BEAFA616E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:36.572{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B18018CED9232E7D618E687170DBBF6,SHA256=1A53E5C50027D11AB0AE2E26A11EA726B79A867A7FD5623AFB28768FA5AB0DBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.711{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local60998- 354300x80000000000000001763908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.710{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local60945- 354300x80000000000000001763907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:33.708{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local60850- 23542300x80000000000000001763906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:36.084{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F053A19FB57B52FA271CD14B63B7631C,SHA256=95823C6D657B347D7A6E44DB702C5DFE8674ACADADE682A7152E6105314BA332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:37.587{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70FC8CF17B73D25D37C735D7AC89C7F,SHA256=9FB8911DE9F586E89825D6B0F2F2B5A7569BC3285A0EDA90AFE637C7B8198018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:37.131{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2519915234C42281F31CE4674A91115,SHA256=A8553D88D869854B7FFFB9B52C892C4028B4F769BC925E62D0D021B85A9A7A4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:35.589{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49792-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:38.602{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D0A04CDC7E02E71C78E74E990BC3CF7,SHA256=66DC8C18B04A427A307F266E8B06C63B79736F6699F9AC38D6D59AEBAA2F0553,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:37.018{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local57663- 354300x80000000000000001763928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:37.017{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56421- 354300x80000000000000001763927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:37.013{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49421- 354300x80000000000000001763926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:37.012{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local61027- 354300x80000000000000001763925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:37.011{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61350- 354300x80000000000000001763924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:37.009{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65482- 354300x80000000000000001763923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:37.008{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local61982- 354300x80000000000000001763922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:37.007{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58085- 354300x80000000000000001763921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:37.006{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local61262- 354300x80000000000000001763920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:37.005{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local60129- 354300x80000000000000001763919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:37.002{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local63601- 354300x80000000000000001763918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:37.001{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59652- 354300x80000000000000001763917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:37.000{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local65439- 354300x80000000000000001763916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:37.000{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61887- 354300x80000000000000001763915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:36.999{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local63581- 354300x80000000000000001763914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:36.995{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59841- 354300x80000000000000001763913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:36.994{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local63059- 354300x80000000000000001763912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:36.994{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58613- 23542300x80000000000000001763911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:38.146{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A0ACC30E46EE757D23B4BA7164FF3E1,SHA256=7AD74486FD61F6F4597AB153F68E3C4FC7745F4FFAE398AF33436B7E4BA1231A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:39.618{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A942C956CBAEA0DCBC632FC279DEA22,SHA256=A8DD2B827234C12930A1A1941D77F3ACE6404B6D0F15FA1F5EB8C8E29C14BEF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:38.113{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61861-false10.0.1.12-8000- 23542300x80000000000000001763930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:39.177{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=532ED87B4BBA8103A256DBBA85A7FB56,SHA256=7FFFD6C0FA478D117D2E08401658C2B4504792ECE9356CA94DDB8E2BA8408138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:40.633{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E285AA2647C8FCFCF74AEE12D4BFB9C6,SHA256=54ADD4B7136FB0C71A0802EE4419AE5314D4E8EA212DE7ECF3C5A442CE8500DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:40.318{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8245BF99FBB31A3D5CDE14416C237B5B,SHA256=0BBC9D3D1ED2B274A162AC748C130FC2562B1146C48B64682D4A5A64035FEC32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:41.649{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=497368603A226572CEEDD04FDD1F379E,SHA256=FDF72E34ACC386CB8B195C87E51155D144C4F033AE18E7569D2D95DAFC2D0FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:41.349{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D46AD604979815C514C84C43336A34F,SHA256=AAFE9CC8D242BB36D235A1E6155654806E2B77A9C8193060A07B560734281466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:42.664{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C844513179A03EE7B15BCB5D2D5E19D,SHA256=8264AAC89F5811A8EFA217F09058701AB3F232A82B553155B9B82E403BF9A386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:42.365{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3F7231EE56A318132A9F111C19F8571,SHA256=7DF6181FD54F69A584F1520F341AF70A84063CC045FF7C1AE3C1CC055DA109F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:41.494{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49793-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:43.773{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586DE14507EBE545F648F5957A8E869C,SHA256=F4773DDF0A398DC48DBF8E7C5A296E4861F230BE4BC8E7E8D38127A124A3CDE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:43.381{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05A0841E6D30D89973A400AC90B87CB,SHA256=56CEAE094A04DB4E7E59A93D349B41B1A789C3219DD031990D907CF9210C00C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:44.836{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5833BE5312CAC56812C4F86D57216506,SHA256=3CE60771A4568DFD468608753CE1B30F8CE5351A836BFD512D4708D3DB4567F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:44.724{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F44E899F7915E16D82185129FB2429F4,SHA256=7026B45F2F3668CB53DCD4A1FF96D89446E8181BDBD95421F928104E0B9E8FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:44.724{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B32718460C1B774DA2F2456E2089D7E5,SHA256=26FE81808C08A2FA0EADF25B5F608944CA5D702E8555537327079CE16A83070F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:44.396{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9057203E188558636E09CFFDC3AC65CA,SHA256=567F1AB6A516852DC57494FA9E9EBD9C8618975E4CD05C9BEF08EA273FE85359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:45.459{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911035EB0294D901F884F3CCF76D3150,SHA256=1D452E85B9F77387D4C69E34F1F4149985D1BA3CC455D70BFEAB8E2BA452484C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:44.113{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61862-false10.0.1.12-8000- 23542300x80000000000000001763940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:46.662{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73DEF4B02F85C6FCDC136431133CFBA,SHA256=2213403F88F3D45806C9A09BD193D77944E011BD434122B54040945AF00DEEBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:46.070{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38A7F2157366289F1DEEBC3E54A7C2E,SHA256=BBAE01F420D411BC2612909D4E089EFDDE259DD6910A3129EED73D2504A0A9C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:47.677{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C12AB21A6F67CFB073AC05F1C645E65,SHA256=F4C0F5F5D53175CCD7E56CD6257CCDE8D427478CAAB29C28CE91A6C40887E83B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:46.556{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49794-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:47.304{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA8D531BFC90B5CF2F0AC21A7CB900A,SHA256=F466EA0308FA4C292C764FAFB30970BC25D51B39CE6E808168AB705DB687DB46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:48.693{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6DB9175B6B47F05C8ADAE2FB4DB55E,SHA256=E2B37B0C97BADA727391007297F848AC8CD13D4B3C2DD93B34B910FEE4627BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:48.538{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEFA17EE14496ADA53095591E5A53AE9,SHA256=A06FDF0D08099108C157F2CA98C757CB99C3429200F1FE0F51B46DFD723715A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:48.241{69CF5F33-BF40-6156-1100-000000000002}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7BDB0019DDC8F5C9C8CC5197E94F6963,SHA256=1E19A21C3B074ED5B94CAB9773ED5D3F9943EE3EBC9C71F9D3355AABFD86FA1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:49.709{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BA57FBB36AB8890ADACC662C15BA7D,SHA256=83BE8AB8E6F7A370F05DA6EEFEF8B98CEC9A6C26BD1908129D9040D097224342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:49.600{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202BEBE16CAC57A184C465C71AB4C863,SHA256=DB52ADB06056F327C1AA520428C89B3BA6DA504432ABB83CF84FB26E714E4DD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:50.663{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C7F099CCBAAC6F5E7AA25B6758B941,SHA256=A0A9FC9083EBDA128AC3FA2E21883D8A7560AE349E67C53DA81C78DC6D8419B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:49.129{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61863-false10.0.1.12-8000- 23542300x80000000000000001763945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:50.709{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BDE29D11C6AECD9A3FF3E9726AC9C0,SHA256=FD5375A5DA9BC38C184B506059CB55D0BCF234D7E1EACB7B123BF2F62E9CCF96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:51.694{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0159E43D98F8EC1AE4ECC15B78520E6,SHA256=4E2A2776F9EFBB8FD44C0D9775E36F257E1CDAC684F2607F9ED29BBC7886219C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:51.912{5EBD8912-BF43-6156-1200-000000000002}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C90B59BCDC28CAEABA379BEECB566C95,SHA256=58D9466D5C296A1E994C5527D4B4E8AB89ACD74A7C22A69726A3E7342DC75505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:51.709{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C16CBE6CE44A832364791C408BCD8C,SHA256=57614E4827E57D915795DF62CE9D83F97D74DDFC0C6BA8E06EE1DE31D0BB4957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:51.334{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0BBC4116F9DB52F0E8A0FB364087AD7C,SHA256=1DE5D84F91B37863D35A6040BBD9D970AFB0915FF7ED7F2DE9FE7DAD4FE391DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:51.334{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BCA805824C56E9DBEA00ACA96686726F,SHA256=3EFCC9F33D4C1BB7EB799E1CCC7C77BE6C2147A041CB508CA222837DECB4F5CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:52.912{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=994690DF9DE657664E654EC1402DAFA3,SHA256=34F0FA9B739CB9CDF2B8CC6ECD0D7D333A1B529640CF234D9616FDDEF7823C6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:52.724{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63D4A8FB8B6EFF52CC1A11B5FB7CA762,SHA256=D98CA83C93C8C6CB083BE9DD72701F116E0FA35FED1166B4F938943C721340EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:51.635{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49795-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001763950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:53.740{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8B3E248F1DD72E903692CC04C25A28B,SHA256=7634704EC7E2BB1178A47FEA2C2C338E20B1C37944ECA0811E9053FC429C3822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:54.756{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B9F7432759CEA517FC16B1BA3A256D3,SHA256=97ABD4FF4EE814055F940EC8399A39235DA556247F56ACE2E7CD47AD3ADB8D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:54.146{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82CF0BD90DC89105E28E8FC5A9CCD667,SHA256=9E9DC259954FBF20F1D33884962A080E21DE232EE5C978969E0E02CE37CE4A55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:54.599{5EBD8912-BF53-6156-2C00-000000000002}3016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:55.771{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5624D700249E8C0DE0DF5F23C5DF152,SHA256=CC171DCE1337EDF2F5DEDE0DCFE3A31F49AEA3F3358A2132CE210DAF4E63EE06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:55.193{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=178938392E0A27E2E646E9A1F4CC8F7D,SHA256=9DCFE4054A3987FA77E4D7986F6812136C8E903722730CD16409C676FA3A976F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:56.787{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D64E281392F6FEB3530A2143C2BF69,SHA256=79FCF56192179F39431AF3975D7AD360393F53676993E5112CC4B721F00E2761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:56.817{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C6E0A416DD84D921B4EA6B1BD16F4DF5,SHA256=6AA5AC06EBB37A79F5617C1443D483064AA017B88151518E66423F0D9839A597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:56.817{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0BBC4116F9DB52F0E8A0FB364087AD7C,SHA256=1DE5D84F91B37863D35A6040BBD9D970AFB0915FF7ED7F2DE9FE7DAD4FE391DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:56.427{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E166C9752C5C9684159116C693A8B118,SHA256=498B38EA94459EF3B421D58E2F2093E9302A9B684DD8B48AC237CB6A78DD4C0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:54.582{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61864-false10.0.1.12-8089- 23542300x80000000000000001763957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:57.802{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E75C37BA90F2A55CAE6966C6B64620,SHA256=468CFBBB2AE73549D14B7ECA1BD01ABD049095E7EB77D99D01C971DEDFD191BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:57.864{69CF5F33-BF40-6156-1A00-000000000002}1872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:57.661{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DDCB6183E9B6680ED72386D1645F18A,SHA256=2CA2EA8E83F71F5A7B72FA99914B594C01B80AF4C5AF7DE4276031768B6BEDB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:55.144{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61865-false10.0.1.12-8000- 13241300x80000000000000001669704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:02:58.978{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69a-0xbfcc77e8) 23542300x80000000000000001669703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:58.869{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D607D0CEED08260013AAE2A33FB44BB1,SHA256=908B97D0E8F405E88FD02AAA74F511CF87AA35AC22B89CA0120E5C289DD8CD72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:58.818{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F71FCF941063212BCC6627B074DDD521,SHA256=330A1E702960D48C5B7130837BA39C76745E91FB054CD52CD59CB41CC354F3CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:57.416{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49796-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:58.418{69CF5F33-BF40-6156-1C00-000000000002}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20211001075651-005MD5=E2350FF87285264FC2F693171FD6908F,SHA256=DD0C2B6A4BAA6FC008B19D4F8AE41D7B35D93255AA75D9D1AFF144D5A1F933A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:02:59.818{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6630C8D9BF6A99EE8B2CA7A10065128F,SHA256=BCCF16B4140A04A525517353D4E9A17DD928C77C95615FB27A36FA73F285E087,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:59.913{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81741E0520CCAEE70DDBF860B7B3EB94,SHA256=E572BA7D7D82AD39DAA2B522F3000EB76ED7DF87B3B0F070B55CB807FB8833EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:58.244{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49797-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001669705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:02:59.434{69CF5F33-BF40-6156-1C00-000000000002}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20211001075649-006MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.979{69CF5F33-C0B4-6156-9E00-000000000002}22284072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001669734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.963{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2178F94C5DFEC889754EFE804B82950A,SHA256=E6C21D99ECCF4737C0D80B125C80ACCF6DF843FE88B28106A05CB2D143BF938B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:00.834{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7804CAE83E8B0FA512AD7F064F98EF34,SHA256=F4CB9314827C82BEC815C5093B8D1FE32E375EDE487E2A8F611C7788CEE47C24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.697{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C0B4-6156-9E00-000000000002}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.697{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.697{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.697{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.697{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.697{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.697{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.697{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.697{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.697{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.697{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C0B4-6156-9E00-000000000002}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.697{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C0B4-6156-9E00-000000000002}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.698{69CF5F33-C0B4-6156-9E00-000000000002}2228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001669720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.026{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C0B4-6156-9D00-000000000002}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.026{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.026{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.026{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.026{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.026{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.026{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.026{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.026{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.026{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.026{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C0B4-6156-9D00-000000000002}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.026{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C0B4-6156-9D00-000000000002}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:00.026{69CF5F33-C0B4-6156-9D00-000000000002}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:01.834{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF14BA0F4EC826A46302ECF90A6775B,SHA256=9B4BA20728ACBBEC46CE5CC2DAE6EF32C9A348EE83B380164122ECB2EBDA581E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:01.682{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C0B5-6156-9F00-000000000002}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:01.682{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:01.682{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:01.682{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:01.682{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:01.682{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:01.682{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:01.682{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:01.682{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:01.682{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:01.682{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C0B5-6156-9F00-000000000002}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:01.682{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C0B5-6156-9F00-000000000002}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:01.682{69CF5F33-C0B5-6156-9F00-000000000002}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001669737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:01.244{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8667D1315DD58DBBFB347D9811DB309,SHA256=D1F151E0A8E0364ACCB7A4C3810FAF6DFC079C6A2E210BC41E563F75D634020C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:01.244{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C48AD0286E606E73B09A1F45C84BC8C,SHA256=C93D8A380A96157E24806FCFE8BF61A1F31ED927FC692ED2F07F01EF2275B573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:02.849{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9E41F3211C10C719017667BBA26B9F,SHA256=E1303F8379D222C3D7D467E9C6A4208606D9BDE3CF3A1B9A0CE4FC79565F7A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:02.728{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8667D1315DD58DBBFB347D9811DB309,SHA256=D1F151E0A8E0364ACCB7A4C3810FAF6DFC079C6A2E210BC41E563F75D634020C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:02.119{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90409BE9FB491E634C7F50EA63E2ED19,SHA256=0ABABE904EAC7409AE84A9A2D3A0E3007AB97E58A933004F40AE14095208D001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:03.865{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC093EA99B0ED701C40A6567191161A5,SHA256=9BB967475C692E16D7399C2E9AABBE5C5E7563F7284F820557AE394B69ABB729,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:03.400{69CF5F33-C0B7-6156-A000-000000000002}25122508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001669766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:03.337{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C126C7EF1989E0616E13A6275BC374,SHA256=8A43D3A2033A459CB4DA200C84035F2637CBEC6DBE4E0F1C6009BE3B0C15D3B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:01.176{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61866-false10.0.1.12-8000- 10341000x80000000000000001669765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:03.259{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C0B7-6156-A000-000000000002}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:03.259{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:03.259{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:03.259{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:03.259{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:03.259{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:03.259{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:03.259{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:03.259{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C0B7-6156-A000-000000000002}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:03.259{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:03.259{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:03.259{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C0B7-6156-A000-000000000002}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:03.260{69CF5F33-C0B7-6156-A000-000000000002}2512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:04.880{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9654F2AC0AE168472998D54839CB1D2,SHA256=4E0B2C2A0AC72B472A00BA116EDC43F2D34455E0D91099CC50D673F6651F99FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.993{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C0B8-6156-A200-000000000002}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.993{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.993{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.993{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.993{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.993{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.993{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.993{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.993{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.993{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.993{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C0B8-6156-A200-000000000002}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.993{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C0B8-6156-A200-000000000002}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.994{69CF5F33-C0B8-6156-A200-000000000002}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001669784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.513{69CF5F33-C0B8-6156-A100-000000000002}33683100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001669783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.368{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5121682BCF36A225EF9902001C70B41,SHA256=47ADBC85AE85CC3709C9EC85EA7B1F2B723DEC05FEB9E7F8670B6B136459F43B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.322{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C0B8-6156-A100-000000000002}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.322{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.322{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.322{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.322{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.322{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.322{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.322{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.322{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.322{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.322{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C0B8-6156-A100-000000000002}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.322{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C0B8-6156-A100-000000000002}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.322{69CF5F33-C0B8-6156-A100-000000000002}3368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001669769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:04.290{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6674DDB3244824DE4E252433F21F36D,SHA256=C1DA7555C01325E24FC34E791776A6C430EB2545C225A2108173BA3201A6895D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:02.515{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49798-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001763966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:05.896{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EFA281C5A1BACB91127F8D77DD57256,SHA256=626B8628C257BC7AFCB3125920CC52A70CD630182DF8421BB5B5297CEF981CB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:05.603{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E4D7D61C185571CEA75E32F68BF1E1,SHA256=EFEB609A09F6F35EE768DCCE8BC3817D4527B35734357F581607CF95173370B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:05.337{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF683544EBE2D7A31462E2E9B460D2A9,SHA256=AA897826772D28E58A89CCCDB9773E2F2AF50ABDDEB3918B68C12DEC00AECAEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:05.150{69CF5F33-C0B8-6156-A200-000000000002}34964056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001669814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:06.665{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C07A4752E1987C879C8978ED3ADED7B,SHA256=092534C53EDF2E1523D90927C51CC21F6A42346E0BAAF7BEC13DEA4C70303B20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:06.912{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD72CDCB147CE91955713583232C0A2,SHA256=210E511D36079E593251FDC0966A5ED8F6162F9BF9D7044791161D7B9CC68CFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:06.571{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C0BA-6156-A300-000000000002}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:06.571{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:06.571{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:06.571{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:06.571{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:06.571{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:06.571{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:06.571{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:06.571{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:06.571{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:06.571{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C0BA-6156-A300-000000000002}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:06.571{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C0BA-6156-A300-000000000002}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:06.572{69CF5F33-C0BA-6156-A300-000000000002}3544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001669816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:07.665{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9239E52ACF39EE10BF0F584A42859050,SHA256=345143EA6A4D1FEA834D8FC074A063A90827F07B73741EE5179B4571202611E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:07.927{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C36287E5EDF2BE572E0F74672E4D9B,SHA256=B74BABFC936216447FF9C5019C729696EA07D289B5F77745279D61F9EE4AF960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:07.649{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2511872F4DF42513DDEB076E727C0588,SHA256=CD7E6569B856038600BFD755B1AC929AB3DDAC83E621BD0DEB53810D7E2257F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:08.899{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E820C8278785F4A536CB0AACBEBDF33,SHA256=940AED0E652080CCAA292527B239AC641801DF29CB59E2FE7480801391175469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:08.943{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A34327B55B811954EA59A70DBDE998E,SHA256=11B7FA11F9171BF3076A4E55F6DF6E5D99CDEFEE0A19C9B94B8B5EB3957E1AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:09.977{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B22BD9540993492CC78565B480C1247,SHA256=56B6D6FEB0B0BA6C1FD4940374F7BAD7EE0D911BDC5EAF147B41207BBDFD8C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:09.959{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=532BD081C21848CB2BF08181A6AB53C6,SHA256=BAAE802EF74F06959B21D1262E7AD423C481413F09592B3172C78562F9FB7146,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:07.222{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61867-false10.0.1.12-8000- 23542300x80000000000000001763972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:10.959{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D75CEB5A89E295B3B10BF585FF0A235,SHA256=AC6E00A989841769C43A7F4AE5F2E608AFA5032C6A15899D2D3DDD84108AF4D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:08.562{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49799-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001763973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:11.974{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5970315ED378134D4235B73CBCD9C841,SHA256=900EE6788209A9DE249D349BA54D69D48EAC8FDFA888902D30E0634DBDA2A3AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:11.008{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D655E65A1A97F7ECC8B04D54B9FDBE52,SHA256=D6BFA2A34FBDAD029C0BA4F4EF6360D1560F2AF3612E73117015614685AD9CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:12.990{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=281A85618BEBB163B5D7749F12AE847F,SHA256=E1C32C6941F537FADCC7ADD67F4D79C5946AC8511A95F40536A14E611401A2E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:12.070{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E94308B4FE0B26EA020C2A0FA9A863,SHA256=A4120DCDC5A32EA1C3A24694E8EC1C590E100F6C1D8FC619E1BF99C57C2B6E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:13.085{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B6FC97B63677126CDCB4EDAFB20DD3,SHA256=3F5C6E54C8E5FBA3FFA2B3F38E3EF7A3CFBA519479670AB6CB68CCE2F5BB871E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:14.101{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=375735CD271833CA75CD14B76340E14B,SHA256=FFD390877450BF60C4FAC7434D29836A3B5EAE5DCE7D6A8A5E5A523037D36364,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:13.066{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61868-false10.0.1.12-8000- 23542300x80000000000000001763975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:14.005{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF28775DA403DED4C72878816759E345,SHA256=D68C1DC7A63998378436EEF66FFA61C3290B12FCF266AE89E146CD5EFDC9F180,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:14.609{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49800-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:15.116{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4E60851F33098A5622C015AE7D62EF,SHA256=361B384220195AEF4067322E1EF2B605772B11E7423D6369CCAE4CFA4B65D64B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:15.021{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BFCC6164C70B13D8907CC7E21814D66,SHA256=6E01540F1C343264A1C6A8F04BAED108DE982FB49976550EAB220A19BDAFD1F6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001669827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:03:16.725{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69a-0xca607068) 23542300x80000000000000001669826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:16.131{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B19D4ED5D35AA259DBC1A5516976EFBD,SHA256=7A1587F81E6EC3A0F2C8568475BDE4AF57E5A9AE691DA6AF86DFA5BD23625686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:16.037{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93535078F74CE6487FE2A7157BB99200,SHA256=FB61CCC413B7ADCBC1FB2798F7E5E06A9B860248EFDD3C8D54D984B6762BBEBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:17.147{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFC6D10BDCE41F3385F311C5CE625B1,SHA256=A3D559DB78589737AE71BBA3E73D4341B62A11D594502132F2B091B4F2314ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:17.871{5EBD8912-BF53-6156-2600-000000000002}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20211001075710-005MD5=E961008872A85D9E7B2EDCDB9076BE5A,SHA256=4C7B4263F3F8553ACCFCCC53A0FA56737D447810FFCB4A43A3BA8D688A9FDFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:17.052{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15C2B9D38D0C92D761E7C29057A50635,SHA256=8ABFCF44F9A2D9779C238F50E3C0FD5C9E74473C5E9E21FE1FF0C158533B579C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:18.162{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBFA3485360E217319A08FB12E6CC593,SHA256=B302E550BDF4102498AC46E5ECBC812AA515D11B591BD2FF12E10C706F5EC8D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:18.871{5EBD8912-BF53-6156-2600-000000000002}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20211001075708-006MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:18.057{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46CD0F2834172F28A5FFB767937E07BE,SHA256=2FA8B8F15AE39D91108AA30D235A3DD35F9CCD0EC3B2EDFCFEFA262513DE8CDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:19.178{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886CC57F6BFD7862F0CB49DC46E3AC15,SHA256=F70FCAD3221884103733DEC7F9E3A41263194DC2C88099C5139AFB46515B5F1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:18.118{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61869-false10.0.1.12-8000- 23542300x80000000000000001763983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:19.118{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E6DC9648A5484DC7F4A2EEE70549FD4,SHA256=1DBFB6B9424BC6F9EE612969D43171FB9D37A01620AA1308DCC7A3CE736E99D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:20.287{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=224C4B256CC571F771796A8CF3C37105,SHA256=817F682678362C3EAAD8F18569B0C56031C75E3057F589559CDEC15D26722DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:20.935{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68ED5F1852F35F5B9FBDAC1893838CF4,SHA256=88A9F99E4A237B338D7B44558D017AF6E8C1E9EB241047E012663DCBA920B8D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001763995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:20.919{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F44E899F7915E16D82185129FB2429F4,SHA256=7026B45F2F3668CB53DCD4A1FF96D89446E8181BDBD95421F928104E0B9E8FB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001763994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:19.311{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse47.181.68.46static-47-181-68-46.lsan.ca.frontiernet.net7595-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001763993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:20.747{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C0C8-6156-CA00-000000000002}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:20.747{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:20.747{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:20.747{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:20.747{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001763988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:20.747{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C0C8-6156-CA00-000000000002}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:20.747{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C0C8-6156-CA00-000000000002}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:20.748{5EBD8912-C0C8-6156-CA00-000000000002}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:20.122{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E222E341BC90DCE14B044DDA27323AE,SHA256=4A4B90DA5D09862950B0CD3365EA811BFD07AE61BD639EFBB9122B1CB3DCCB2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:20.499{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49801-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:21.505{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC023F10514F87CFACC3DF17066DA8D,SHA256=4DAF6C94C504DC5F0F7E1F735C59756045E28A77EEE65113B99B3280987BFB64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:21.982{5EBD8912-C0C9-6156-CB00-000000000002}59005836C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:21.794{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C0C9-6156-CB00-000000000002}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:21.794{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:21.794{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:21.794{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:21.794{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:21.794{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C0C9-6156-CB00-000000000002}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001763999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:21.794{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C0C9-6156-CB00-000000000002}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001763998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:21.795{5EBD8912-C0C9-6156-CB00-000000000002}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001763997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:21.169{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CD8F39CC225D1245983194E0F5B231,SHA256=4089149292F878443BF1B2B1374791D375A74185FEF6F88F3003C4C256FDAF4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:22.661{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56CC5A87DCB66716CB6EFFC9514151C3,SHA256=6CE8155C8B5692DC7E8A531053C0323C7245CDA034675BFD33B4EE65EAC0DE36,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:21.027{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61870-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001764018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:21.027{5EBD8912-BF53-6156-2300-000000000002}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61870-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001764017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:20.714{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59252- 10341000x80000000000000001764016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:22.700{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C0CA-6156-CC00-000000000002}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:22.700{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:22.700{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:22.700{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:22.700{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:22.700{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C0CA-6156-CC00-000000000002}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:22.700{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C0CA-6156-CC00-000000000002}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:22.701{5EBD8912-C0CA-6156-CC00-000000000002}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001764008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:22.232{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D601D460E347A33AC8D9C766CED94D,SHA256=D618188A2CC2A3D4FC4BF76730306640EA9CBCEE13CEF2717D34409FD8098D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:22.044{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68ED5F1852F35F5B9FBDAC1893838CF4,SHA256=88A9F99E4A237B338D7B44558D017AF6E8C1E9EB241047E012663DCBA920B8D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:23.676{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFFEE4695F74C197E65E712236C317A2,SHA256=943750E16757E39E55CB356DA704F2D45858608D2B0F3E45B5BB1B0BA74972EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:23.779{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79FE311ABC40B712FB5E7ACA4EF1E5C1,SHA256=E661FE3A879B7BBB63939625B9064045173D9D64039503CD5F03370333217CC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:23.263{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61BE8CDE2142797C48865201C95FDD3E,SHA256=9F17865ED00F3D13744B2ECF71B0DFC8FA30D0D428CD0029EF1C7BEF3AB62819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:24.786{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A872CAA96D53B5E2226A6DD37B1473C,SHA256=79E45EAF186D4D5F676E098B7B19B369431F9F4C6E8DBD961C7859033449A6BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:24.950{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C0CC-6156-CE00-000000000002}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:24.950{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:24.950{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:24.950{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:24.950{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:24.950{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C0CC-6156-CE00-000000000002}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:24.950{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C0CC-6156-CE00-000000000002}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:24.951{5EBD8912-C0CC-6156-CE00-000000000002}5952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001764031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:24.482{5EBD8912-C0CC-6156-CD00-000000000002}59405944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:24.279{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C0CC-6156-CD00-000000000002}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:24.279{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:24.279{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:24.279{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:24.279{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C0CC-6156-CD00-000000000002}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:24.279{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:24.279{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C0CC-6156-CD00-000000000002}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:24.280{5EBD8912-C0CC-6156-CD00-000000000002}5940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001764022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:24.263{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFB22F70CC92FE213F54E6CA103FF04,SHA256=F84681CB8C41D28ABA09BF2FA43FF6C8A8C4C076F2C2CFCBD4F5B82B4B15436A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:25.982{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C0CD-6156-CF00-000000000002}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:25.982{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:25.982{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:25.982{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:25.982{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:25.982{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C0CD-6156-CF00-000000000002}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:25.982{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C0CD-6156-CF00-000000000002}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:25.982{5EBD8912-C0CD-6156-CF00-000000000002}5992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001764042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:25.294{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D2FD3E720165A8A173343C5ECEF1D6B,SHA256=00C5CAFB9B4C56C0607C821D7176FCFDDB692B8225AC5C7CDA3D9B440811755A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:25.279{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A700A9DEBAA15E5430062BC3AC570D,SHA256=E16C45869C17B520AED78C238FECDD23F94CCB3081511503CE70794046E2A429,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:25.154{5EBD8912-C0CC-6156-CE00-000000000002}59522508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001669838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:25.546{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49802-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:26.020{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461B3B1F384424346645DEE979BCB44D,SHA256=B96033FD28A9973145E5BE3D6D237495FC8577381575D6E3880A0168C296BEB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:26.310{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5EAF0FFC5F70E1B98EB50411C6C1773,SHA256=5759DAFFAFADDFC6B730E36FAFFE195F432DF887F2C0337032783540272B0B34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:26.169{5EBD8912-C0CD-6156-CF00-000000000002}59925988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001764051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:24.105{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61871-false10.0.1.12-8000- 23542300x80000000000000001669839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:27.238{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06CE857F45417F68C8F413CA0DA1FBED,SHA256=151D8A1D9FDFF727DDAE1803E297C83582AAC08D71C25C046693FFE58E6FAEFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:27.794{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C0CF-6156-D000-000000000002}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:27.794{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:27.794{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:27.794{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:27.794{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:27.794{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C0CF-6156-D000-000000000002}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:27.794{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C0CF-6156-D000-000000000002}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:27.795{5EBD8912-C0CF-6156-D000-000000000002}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001764055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:27.341{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBE4B54CEF3068E28D87AFCBA85C5FD,SHA256=47822B3DCEA68A5A61FCD2D8EE641CA04F1D070E5BF3977487C91998A479FA68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:27.028{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14A9A01DB9B4DE5E1815FD30C0A685D6,SHA256=0010230205903CDE3272F356E83A4C1B38F0E05B14AA74DF37DA235E82CB83A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:28.316{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3CC360A1CEB1A5B651BBE9D3D2A44AE,SHA256=A2D22054A36B1FE19CA2ED57690C4AAD9DA2775F64C2E3CB279D5D14C489A890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:28.935{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD2875AA378BAF8FA831B32F0283AD46,SHA256=8441A089289B5CF77B0590D366CEF95EBD670496245994CFA005DBD3A6AC7237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:28.341{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0413311360417D9792B1379076A12466,SHA256=4611991898EC2A24512F1F558CC13DCE7133283227CA5ABC438E14EA47D0BCB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:29.435{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFAC8E050C71E18D3D89F802F8816123,SHA256=5D6D9C347656EE417F90CA178C45B33B43F4EAD967D1E908799F8112844C52A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:29.331{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C24500EF063A22406602CB7A2BDABD,SHA256=55978D1708043A021C8C43A0B828A5C9DF474EE88F34CC6502D222FAA8DF142F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:30.528{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC5F11530C46F3F357C6C1AD642D53E,SHA256=8C81F4AA34B96731A9CED4C0E8996A63F4CF82C692C7DA47C7BC1517F531AB1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:30.347{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA68A484E79F494FD9C8F2AFD1466D70,SHA256=FE56EFA9AFC295CA2DAD4326034639A83E2AD70C3AC16A39A696F410D5CC79BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:31.560{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD3E097D5E1C7DB34EF65448E9C5FE3,SHA256=C396765C842ACEDE64842C838A4FC44A70B5318A49EB4493A58C72DEBE311689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:31.362{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BDC3685099A0A69A4E2AA57FD3D3860,SHA256=16E9F28313E29152E95060FFFAD3EAF3BB3A165BD7E40AFE21D3376C907920FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:32.591{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D59DC6C7EF8F876E8A3418638182E2,SHA256=5955E20AB8A1F3A9AF76FAD5F921F51526AEFEDCBD239813C64C0F0CEB45F7C9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001669846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:03:32.721{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69a-0xd3e9447f) 23542300x80000000000000001669845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:32.378{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A798D3B8FA019C54480333DE6481165,SHA256=62AD0556A05DAAA1DE63AB6E5C4691B0B3D7CF2FA6481E924FB619E39508F266,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:30.073{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61872-false10.0.1.12-8000- 354300x80000000000000001669844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:30.593{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49803-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001764071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:33.607{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FADE15DA843315EB9CBFF8DE8B7FB8F7,SHA256=4B5916409B93BF88C469252052C177ED85701730179947109F471E82CD11875A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:33.393{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D52FF9675BAD7BA48A2703500A69D0D,SHA256=0C8184CB1D0A041463F9C2FA2110C13A57B9AC70BBDE4EA3CE1C7048E2434512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:34.685{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE5A236FBAAD97736BEB558EE3E672D,SHA256=DA073055540AA63F2FB6EAFB2C5587146B31075798EFDE6EFE2BB7776DD909B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:34.408{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60862ED524CC8443996AB130E489F1FD,SHA256=D68A30E13EDCF1D6600BA97DCDCBC5DCB6C36BDFFBF97BABD7E8EAF160B74BDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:35.857{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:35.857{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:35.857{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:35.857{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:35.825{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C0D7-6156-D200-000000000002}5392C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:35.794{5EBD8912-BFA9-6156-8100-000000000002}37161076C:\Windows\system32\csrss.exe{5EBD8912-C0D7-6156-D200-000000000002}5392C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:35.794{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C0D7-6156-D200-000000000002}5392C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:35.794{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:35.794{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:35.794{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:35.794{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:35.794{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C0D7-6156-D200-000000000002}5392C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:35.798{5EBD8912-C0D7-6156-D200-000000000002}5392C:\Windows\System32\InstallAgent.exe10.0.14393.4169 (rs1_release.210107-1130)InstallAgentMicrosoft® Windows® Operating SystemMicrosoft CorporationInstallAgent.exeC:\Windows\System32\InstallAgent.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=88C7DCDD735B31E4F5620E4B9F38C87F,SHA256=5EF1322B96F176C4EA4B8304CAF8B45E2E42C3188AA82ED1FD6196AFC04B7297,IMPHASH=EAB6EF3DE625719627DC808B5F0501FC{5EBD8912-BF43-6156-0C00-000000000002}844C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x80000000000000001764078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:35.716{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368FBA43C2FCEA0CE1252C9F19051775,SHA256=1F447B4B85994E9D2FFC1E273D90598AE88CC21DC989FF16F00D0C67884135B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:35.716{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:35.716{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:35.716{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:35.716{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:35.716{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001669849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:35.424{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC27E4795680DF6065581D7C8A2AC5F1,SHA256=077CB52D11DC7EB98BE26457D9CE989D3F5CFDAD6060CD0A47D17ABE97EEC540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:36.732{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B23B6FE239D93778AAA1210BDA5AAF,SHA256=9FC019F3BB17C97A63FF40D19A09426EFF84E18BC2DB453D15328CD9DCD813AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:36.716{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB27146DF16263EDE5023F931A1636A8,SHA256=11FEC72676A41CBFC20712B40DBB6D0953207148F2BE0294F8037A5893B77482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:36.716{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44FAC47D21A22E36DA38A816CEA6B4F9,SHA256=85CA4001556FB9A545A0E3FFF5AC73BE3E926FDEAC0551369DC176E8DD0FA7BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:36.439{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A3B43B724AD04453B3B868F401257E,SHA256=D664BBFC5ED46CB0DD3A8F18F501C21FB8BF20663E09A467CA76CA82763A7C96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:37.732{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E220A359FF2FCCF3317B8B25F5E7B050,SHA256=947D7A76010D14A2284116BDFC137898DF9DA95B9AFB84B7922E1693A84E03FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:37.454{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63DBF550D46FE4EEEBD5177F7D68279,SHA256=A803E3C02D27A8C2D82A1FCF1D89F00420C7AEA90414D0200A6FBA19118A9D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:37.216{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=94015340B9AA11A5D5C3E98D48C7C378,SHA256=7B9FE86DD6A616EE7E132E0F455BA74752B551934E6568A448F95FE98F7FED25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:37.216{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B04ED21D0406973D7C042D6C4C2B7197,SHA256=49CEEA8F26ACE1750B6948E98514366188C4E7DA3F26629FA4C81B82C23EF89C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:35.624{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49804-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001764099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:38.747{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A742C68D433321AABF825912ADB905A,SHA256=5E831A619C6976C95C69761D9AD2B0B388AF445BAFEDC5A6FF2064D83877FEB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:38.470{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA05E39E1DE74114A66DE297B7BFDA34,SHA256=1FC19F2C5946CE13A2791598DDC24109CFA33BA8965C3EBA1297395D034083E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:36.105{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61873-false10.0.1.12-8000- 23542300x80000000000000001764105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:39.763{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370F48143523860DE09924EAE15242BE,SHA256=E29E01C13FA2870534174276B27C04D7BF973FCDD05D3778833B976F84C5F4A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:39.485{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=174839FE1E565CF6FA615CDBBB2C5348,SHA256=36674BF292F34493B93A937028DC10222A26EA43289FFC796F59879A7ED14185,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001764104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-10-01 08:03:39.232{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids\txtfileBinary Data 13241300x80000000000000001764103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-10-01 08:03:39.200{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gitmodules\OpenWithProgids\txtfileBinary Data 13241300x80000000000000001764102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-10-01 08:03:39.200{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gitignore\OpenWithProgids\txtfileBinary Data 13241300x80000000000000001764101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-10-01 08:03:39.200{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gitattributes\OpenWithProgids\txtfileBinary Data 13241300x80000000000000001764100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1042SetValue2021-10-01 08:03:39.200{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 23542300x80000000000000001764106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:40.810{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B8CD8696D5D16A8B24C28FBA1101BAD,SHA256=47B7352D7B91B20CD9C402AA51947B96AA47DCD09F8751D8EA915BFF278DC41F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:40.501{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE99D6E7CE2A5500DEF97A8C3E97E6C,SHA256=CADB70C1CE4C3ED997A2CDE2F8B0435D30D64DA206891555ECA0C3A917362994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:41.841{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5980CA6EFB9453AF699034F669F0EBD,SHA256=83D60F5132C2F98FC32619C0B26FBFFE3E9D3B7D466144A3DDBE454C91ED3EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:41.516{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5D53A3A04C2D0650178E7C30655AB4,SHA256=8FFFA5192E1FBC9022D8D8F24AD1A8CE4D01EDAA327EFDFC0B5852CE2B47302C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:42.919{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEE0552063EDFC9DECB3DAA57CD56AC2,SHA256=868FC310FFCB27AB693719200263E3EBB82B5B8AEDD654402BA4530F63015AAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:42.532{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4CFBF21595C59C40C8EE1F7288FC91C,SHA256=161B999232C45A308485A664B97ED137C6BAEE3281831103E91F5E764324EDD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:43.547{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6D2A3ABFA53D776D138C1EB9F8CC72,SHA256=36AB5E251311A97FE2466A1BB50B5F461C2E89B57A6A8A118F02F181F60BFF23,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:41.230{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61874-false10.0.1.12-8000- 354300x80000000000000001669858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:41.483{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49805-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:44.562{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE13CDB3C0451D92D73F5FCF5145B32F,SHA256=88BD36EBE4FA54C56490B8AA6CCC6F3A590153900C5EEF481786ED45072993A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:44.013{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F59BDFA5CDDEC4559B1366EFEBC47BBE,SHA256=8E7B317B557DAEC074B38B447AE3C25A321461A728E496EE56A8FDB805A04D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:45.578{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85E3EBF4F9B5D035D992A60DCA66AE9,SHA256=657996D6FDC2242F91460DBB6B687D86646CC9FD41D44EA61ED99385CEFABA5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:45.060{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929FD3E72F820759D0FCB41E3F337862,SHA256=CE87AAD7709978751A8D64B7FD9587E02658209236956D973C85ADA98D9BF865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:46.593{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B14912A7C274E75AE729A1BA7C3A902,SHA256=72C5D2C445AE064286A87EDEA21589EEA38BD2DA06BB39E6B4F62AFC0798A6F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:46.091{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2A0173EA5DCBA21FDCD8D5437FFCD72,SHA256=AA434B0FEBE258DE10A909A75EAF8D2E65670E17ABC7E7BF52AC5F4BE4BFA18A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:47.608{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8BB51DE7544EA191F7ECE3F88B8C20,SHA256=0EAB8BE36CA3CB6008E89FDA6EF787B650033446DA333217F99BE2EECB0747A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:47.107{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=343B74FDC2151AC8A2CD97BD2C1DBD52,SHA256=FC1D26EB7892C262EC919777C4FC42AA3507C74A4DF03A21E46E2B8C4FCA3351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:48.624{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A076FC91FF04BF642295BB77822F521F,SHA256=B05D87CB4C433C01DFBB54A06E8A08B69EA45FEB825DD9243D22ADE3A45FC4E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:48.122{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46EDBE88B9B75D44BFEC1999AB84FE3,SHA256=19EF545342BD8B66D729AC8BDD6E3B4A53E2E2D7C839F51C934AC5E81C253143,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:46.577{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49806-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:48.233{69CF5F33-BF40-6156-1100-000000000002}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BE6A8A220FC47860A1694E610167D8F3,SHA256=C9B7BF69B868E8EA2734C182294F1739FD7680A0E410DAA91F38663A9EFAE1EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:49.639{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC547C1BFF7F68C4EA1DC876C3B8D39,SHA256=6F511E4068435B71262EB7DC1F56BD62E5200A513C16EF3AF708DCE4701F9ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:49.216{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C93FDDBC1B729F440ACA783F1514DA94,SHA256=958305B3A55D0751B3BD64FD80A265EE98ED7D9FCB96A519AF64F9D5B492CC34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:50.655{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0186DF60533851A0648E71EE5C1C26AC,SHA256=9D1326CDC2CFF06F2A7B0FB1127AAE0D9F33BA7593F955DDF64ED5C84C320DC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:50.231{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C65BAB484C19F1DA19862B3D97C3943F,SHA256=C2702DFD6DC4FA1EC7D9C7E1FC17A9B6AE5C74DA16ECC9884EA7DEE65064403C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:47.245{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61875-false10.0.1.12-8000- 23542300x80000000000000001669869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:51.670{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C2D844FA7626A5A8BBCFD8CBF6AE436,SHA256=7C4D9419B7E544D1FC4ECBF29DF8968377761ECE0538F87DDF310AB26CAE3214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:51.919{5EBD8912-BF43-6156-1200-000000000002}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C27A21169DD3491691C58CBDE1EF9555,SHA256=79283EF8CC8F90D0764377C5D6476465EDFA316B7D94DC7095E13F0DCF5B8B16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:51.247{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24342E4B42AD5E2E20C47F3C018BF76,SHA256=50A739E1831DE9E073B9B202EC0BFDAA97899500D96AEADE237A04EF4E476F3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:52.685{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0086B501EB6B35257A42B3359930BC2,SHA256=2290D6FC0447EAF76552BC78482349F3C71DBA87B79238BDFEFFB87693B8027E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:52.263{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F90747852E00620734FB190297631FF,SHA256=6F015143B3DFFB2764C353787DC7F609522C5508364D0A07399131F5397CFCED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:52.483{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49807-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:53.701{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44711187D86D1B673B0D851B3E583826,SHA256=6925B1A352F0A78D14A8BF88EBB3D01E101BF1B6A4EDA662CBF6A0058A0034C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:53.278{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2CBC9731C4A45BB706C2C145BD828A9,SHA256=32457FC50465DA4DBA047D5AC429FAC142F29802883A8A49EF55C9B22C64FC99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:54.716{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6219DC03F93F26ACB184B17A40685F81,SHA256=E3B94E049A07B13B2865C5A47AA6765A79E59D946632AC853F6D81553EA26AAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:53.230{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61876-false10.0.1.12-8000- 23542300x80000000000000001764123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:54.622{5EBD8912-BF53-6156-2C00-000000000002}3016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:54.310{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917EE2727E981C7FFE3714F1C1D901FF,SHA256=2A16CC35CB43C46DA1471B9ABD56C135D2625D0CAFE4E5B45E1C3C626938E034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:55.731{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12DF2118FEA3D3C820A9E8A054D37F6,SHA256=7F52F515536C54E1E7737CC60BFA6138DF34126AA54AB229568139D8A612728B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:55.341{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E74A910FD3585E730EB3088C14CD0C,SHA256=03E7793A86BEF7BC6A5A00DCB43566C54AF4F0CBE3EE90C21EDAE59095D56715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:56.747{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F731D61E59A15B9BC480832CA598F779,SHA256=94836329B9DD7F3167ACCB77CAA9F1218B92D125A63F98AAFF29FAEC626C8945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:56.341{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E02FB38D5F9F8F2E02CF1275C4C9BBC,SHA256=3D6ECD027A21AD7F040DB8041177DA5AC2EBA63CBCE3663C9E87AE11F44A55BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:54.605{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61877-false10.0.1.12-8089- 23542300x80000000000000001669877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:57.871{69CF5F33-BF40-6156-1A00-000000000002}1872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:57.762{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B52B544C4F3EAEDC418ABD0B56A7B03,SHA256=761F72F7EC7D1FA0AF87ED6575F67451F1D0971301F6F21541DBF522A1D7B3FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:57.356{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE9B3C6EADDD4D27FF558F9727ECD95,SHA256=24FF8FFD338CC846168B699148D33DFD2C7CF50A2E475AB4D9C80FE2143C5641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:58.981{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E6CA9A67B4530F8618CF3518B0A991,SHA256=D517A78D235D7AE9554500989D9F9755534912D8053AB7F613A45E467B534D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:58.372{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3338FAF998D1FD7BFEFEE3AD05CDF9FB,SHA256=332A90D8632A3B79E6BE2374D548CE750A1B594F997987CD64F2B9AB79218E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:59.388{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF103FED07BA56FB29FAB2484968FD66,SHA256=27264415B7F18C1208B50C1B1F96B355523765CA49313B80D71551A2764CBCE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:59.940{69CF5F33-BF40-6156-1C00-000000000002}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20211001075651-006MD5=E2350FF87285264FC2F693171FD6908F,SHA256=DD0C2B6A4BAA6FC008B19D4F8AE41D7B35D93255AA75D9D1AFF144D5A1F933A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:57.529{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49808-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001764131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:00.419{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA56067D833FE73CB709FA10DFE4D66,SHA256=F1C99113883AD6A8EC12AA50F74674816113D135BB8C1EE531E68AD40C67C6AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.953{69CF5F33-BF40-6156-1C00-000000000002}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20211001075649-007MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.844{69CF5F33-C0F0-6156-A500-000000000002}21403060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.688{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C0F0-6156-A500-000000000002}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.688{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.688{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.688{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.688{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.688{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.688{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.688{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.688{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.688{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.688{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C0F0-6156-A500-000000000002}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.688{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C0F0-6156-A500-000000000002}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.688{69CF5F33-C0F0-6156-A500-000000000002}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001669895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.110{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=626694C759F11212F826A758610DF911,SHA256=4014B9AFFC1275087E8554F5AF6A61B522A6AD0EC6FA549CF7E7505B23005555,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:03:58.264{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49809-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x80000000000000001669893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.016{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C0F0-6156-A400-000000000002}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.016{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.016{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.016{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.016{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.016{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.016{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.016{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.016{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.016{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.016{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C0F0-6156-A400-000000000002}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.016{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C0F0-6156-A400-000000000002}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:00.017{69CF5F33-C0F0-6156-A400-000000000002}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001764133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:01.450{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12DBCCE71B7848D47640E47BB5F52FD2,SHA256=79B7F1C977AE28B1C75E20C01E2EE42FC154471E95990D1CB6889F93FC601AA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:01.673{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C0F1-6156-A600-000000000002}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:01.673{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:01.673{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:01.673{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:01.673{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:01.673{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:01.673{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:01.673{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:01.673{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:01.673{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:01.673{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C0F1-6156-A600-000000000002}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:01.673{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C0F1-6156-A600-000000000002}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:01.674{69CF5F33-C0F1-6156-A600-000000000002}1728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001669913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:01.232{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E57F495FA18C5F3C0EE8D49B6546EE25,SHA256=B8BAFFFE9B522A24DF3143E6C4634E3BD912223F13C9ECC47C9C1A479AEE4A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:01.232{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFBC598C49D93624895B680A08A373AB,SHA256=B2D3B4DB2DDC5F47C6920024EC0D4072F58288654E7CBEB3C00D24AFDBBC6DC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:01.123{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7BE923CCEFBEA7DF5DD1C355D6EEB1,SHA256=F2AB1EF0F1C42AC8B5081E3C434531DAF0E7B4918FE0DEBFDA1B36A607929735,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:03:59.136{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61878-false10.0.1.12-8000- 23542300x80000000000000001669928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:02.704{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E57F495FA18C5F3C0EE8D49B6546EE25,SHA256=B8BAFFFE9B522A24DF3143E6C4634E3BD912223F13C9ECC47C9C1A479AEE4A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:02.360{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29AB7E2B9EA4F70F534AF2F199E5E1ED,SHA256=DAA48F96514B0C83FAB5EF9AA15F9334B1E9942B169A260172A25C026BCC8B89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:02.513{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1639B65D9EE18E272D95DCFB1B695558,SHA256=E79EE031787C11999BF2B07E95D92AC76982E13A0C6276FE135A66FAA37E9A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:03.528{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A4E97CAD256213487FA8B090B20D71,SHA256=ADF27B6CB41BFD29E5185C2BE68A63D9C0FF06C3D8F8DB9A7DF2056C4922AC4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:03.516{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923B2D59E6BA472111B536B4E95C40FE,SHA256=157394777866256EE9F3F3CFB06ECDFDD2A9F33F15B25EB29EEB05BEE7E4363B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:03.422{69CF5F33-C0F3-6156-A700-000000000002}32083024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:03.266{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C0F3-6156-A700-000000000002}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:03.266{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:03.266{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:03.266{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:03.266{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:03.266{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:03.266{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:03.266{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:03.266{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:03.266{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:03.266{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C0F3-6156-A700-000000000002}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:03.266{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C0F3-6156-A700-000000000002}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:03.267{69CF5F33-C0F3-6156-A700-000000000002}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001669972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.985{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C0F4-6156-A900-000000000002}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.985{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.985{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.985{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.985{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.985{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.985{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.985{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.985{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.985{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.985{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C0F4-6156-A900-000000000002}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.985{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C0F4-6156-A900-000000000002}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.985{69CF5F33-C0F4-6156-A900-000000000002}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001669959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.532{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF028A190DB0061E23D4B5CF25D6887,SHA256=B36A1BF61D0C333F04F9A98269DA8B14FF366DECF7871CA5637DF592C4FB3F62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:04.544{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=589B1FA6742AEA785FADD2016D7DB7D9,SHA256=98EFDDEDC34584FCDC4A44D2E60AB52DFCD5048638C8CA0CFC1925BC9DF9EA9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.485{69CF5F33-C0F4-6156-A800-000000000002}28123092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001669957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.375{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=603D569212ACE79FBF2CDAE4BCA68A3D,SHA256=4DF2FCCC9284573ED13D809EF161F2520A61D0F0730FDE9D3395048E875A8CF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.313{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C0F4-6156-A800-000000000002}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.313{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.313{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.313{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.313{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.313{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.313{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.313{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.313{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.313{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.313{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C0F4-6156-A800-000000000002}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.313{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C0F4-6156-A800-000000000002}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:04.313{69CF5F33-C0F4-6156-A800-000000000002}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001764137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:05.622{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471D9F827FD55E960648493475BD0461,SHA256=47177DB96A63871F9C56A86B14D8C582ADAA1EFCF2CCE892878132F73C24B6BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:05.609{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7CEA87E76C7C6F9D63B155BF03FC44,SHA256=C47DE05892797DA2925B0544C1B549F2563B93DFED143B928607D7372CFF609E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:03.504{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49810-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001669973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:05.125{69CF5F33-C0F4-6156-A900-000000000002}18922460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:06.638{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790C053A863D27B69B046EB3967B1C04,SHA256=A152EFDC5DC04E18F2FFE097FCFBAF862E294D7824B725DCE2E3C44DC2B843EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:06.640{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DEA6E10C1CB6A5AA150AD2A77F8531A,SHA256=AE9027C9EFC5839B3353F024DF8D2EBB55797B74CC47E3A6251EF88070114443,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001669989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:06.562{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C0F6-6156-AA00-000000000002}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:06.562{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:06.562{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:06.562{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:06.562{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:06.562{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:06.562{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:06.562{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:06.562{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:06.562{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:06.562{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C0F6-6156-AA00-000000000002}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001669978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:06.562{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C0F6-6156-AA00-000000000002}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001669977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:06.563{69CF5F33-C0F6-6156-AA00-000000000002}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001669976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:06.125{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBC1EF3750F733F85FE0D46AF02FCB42,SHA256=FCEE19FF30089578B7D75F329F061FD3B866BFED109B7A9747AA1E7C3EECC0B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:07.653{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB430B5316F4C3FF832F7061EB9A60E7,SHA256=6A09E3DCFC85AA2E6974682D7B379762C23C69C52F52621B51F03E434681935A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:07.874{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=777BE6AE71FE6A8C6089B71062B6F838,SHA256=EBB7B98C5C9E7DD63709FB99E7696C23A65DCBC19E959F70149CC3CAE8318581,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:05.167{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61879-false10.0.1.12-8000- 23542300x80000000000000001669991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:07.609{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23768EC8EAF4ACAAE9BB1DF317BC9DD3,SHA256=DA5E74C95DC4ACFE0E5087951EC729E67ACDB110A0980C3D4F55CDD5D2EF7690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:08.905{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA769B6F288A0C53781487706F8C8ED,SHA256=C2BE6CEE96DC9B424316925E8BFCB37FF25AC7D7780C5C3B18F5830A3AFD078A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:08.669{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFED42669A0F183D507D344A881199F4,SHA256=229C78B2E9202F8EAB134340AAC61D6F5C5E2FB566A8B2E6A8ECD7E7A15B7F5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:09.921{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=734D841F079965F4571D859D889DC6CF,SHA256=7F87BED0281CD00B1D2EBE39B3192E9320F602D9D55B0AD4579C60407FDA8B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:09.684{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65442EB0F02C625988250994D41C713C,SHA256=BB56A2DB6C65DEACE95EC01B0A18BF2681C5E94E9CBBE1285116B386D87C9936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:10.936{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2552544CB22222B9868A65055A4B4F3E,SHA256=E6CAEB80BC966763E3128E24CE6B106D31DCF785FBCACD8527DB7241734D26A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:10.684{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE7F2D7A897451B8DDFBD68E9B082F6,SHA256=C1A23945282CF7629F02C67E77B9A7C5D267F2B44BA87463F8479CF45CBE9B98,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001669995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:09.550{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49811-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001669997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:11.952{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A2D1C971C64E0F8AAAF8FF73CC43DE,SHA256=9CEAD297D9497458E338CAA568F57BE1396F25170EDE7C1934CAC777171B81E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:11.684{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF73FAA216282A66139AE6AA7EB743B4,SHA256=06AF6926365E008FEFACA3DEC1DFA16BB097E21994EBC83FF619D87BB19FDF6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:12.967{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA91F5178DFF24404B4E54C0EC99267,SHA256=AD785B5DB00402C75C198B2EC459A9EAA1870FCDAB47B96BFFA0FB09D0DC9C1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:10.214{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61880-false10.0.1.12-8000- 23542300x80000000000000001764147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:12.700{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72C78521417128E804039F16B1DAD39,SHA256=C372E98F924038704E32D8AF26A83ED280660D40F4822F847EC42F5E00F19245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:12.309{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B3100426CB0DA8F9D978349951E12F3,SHA256=422697257FDE16A505790D178C8F73AB6626AAB01EE659314A743873B85648D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:12.309{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB27146DF16263EDE5023F931A1636A8,SHA256=11FEC72676A41CBFC20712B40DBB6D0953207148F2BE0294F8037A5893B77482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001669999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:13.982{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A3D13B2E0C05676875D925CB00F1F9,SHA256=92D21D105FFF0369EFB049479B5307704F67C52C94A9F624D5F287EBB9FD2B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.841{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB598A76749CF15FEF6DD5D8FE767AE,SHA256=B71715F732B1702F02EB51ADD2B0B7CF6991B3AE8A35F7E0DCC51B88B878BC1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1100-000000000002}444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1100-000000000002}444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:13.372{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:14.872{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=576B175F42A09D2439D5F0BFF7E6E8B6,SHA256=A1A990BE5CCEEC720AE7F3864BE98543CEA4ED4D7F1C115718252D1291648C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:15.872{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7614EFA07E65EA276CFC303EE89471FC,SHA256=A3A641DF088E8774FE127036E04B9DF65327EF0D63E32FE1D6B475020BE5701D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:14.998{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD97C64323683DAB0294160EC4FA4E44,SHA256=2FD961B0F45D2A29647598FA5B653CB006C458CDEF12C43D61FCBCBF2311497A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:16.903{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518DDB30F5079C74838697DD1A2F5522,SHA256=7511B48B4F606CB6B23749BFA5CE60E735DE2767FB27D0D4F15D45768364D740,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:15.566{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49812-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:16.013{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5213B15C42D6BB22537BC3617D8EC7C,SHA256=466F368EBDD6943FCFD61A572EAD306A5B4ED6FEE4FFB007408BB1E6C535A020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:17.919{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70154C0F24C6F2D99FAA08857A59CAC8,SHA256=AF0B424508CC3AF37A72A2351656DEBCE7701C44AD2024651C23A38252A306C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:17.028{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC080145692129FFC8D7A54F346D170A,SHA256=5D7A0A462873EAC414F2C5BEF6ED0436708292CD6EBA3C9E2BD8452579F76EF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:18.936{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A08294949B0D9D7FAD8DAC170998C034,SHA256=08DD18013565CEE29FFFFF7E983131C28FC50C6884A4969D63B7F48DB12C6B1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:18.044{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB9FC83DDD076E23002D89A8E49B721,SHA256=19408C41927699D0C2D3BA4B89BA20448A37C9034099404F247055EFC6E44557,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:16.245{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61881-false10.0.1.12-8000- 23542300x80000000000000001764192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:19.955{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3294B069EFB04BE97BA65C0766FD7170,SHA256=A31AE43B9929A12C92D6ECC4F4A41AE15020D6EA25473096B04EB2B78687FD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:19.059{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6903AA0819BA72021145C53601802491,SHA256=F631C6C5FB546D33FE31DDF2B61819669758B5FC402735F8F60FE37703E30DCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:19.396{5EBD8912-BF53-6156-2600-000000000002}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20211001075710-006MD5=E961008872A85D9E7B2EDCDB9076BE5A,SHA256=4C7B4263F3F8553ACCFCCC53A0FA56737D447810FFCB4A43A3BA8D688A9FDFED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:20.766{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C104-6156-D300-000000000002}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:20.766{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:20.766{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:20.766{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:20.766{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:20.766{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C104-6156-D300-000000000002}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:20.766{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C104-6156-D300-000000000002}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:20.767{5EBD8912-C104-6156-D300-000000000002}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001764193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:20.393{5EBD8912-BF53-6156-2600-000000000002}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20211001075708-007MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001670007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:04:20.731{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69a-0xf086ed74) 23542300x80000000000000001670006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:20.075{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=297D4ABE4EDB1E15593971F6CB97E321,SHA256=1DC60BCB07C4CE5C8BFBA4BD0C5F69B03F0E2D4AAEA0C7BAC8457A7A4CA88787,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:20.644{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49813-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:21.090{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990ADA0B6C39F689F93B48443E8D2557,SHA256=EEC8E8037E295204E8B2CC09F0B10D77DB277830FDE24D46DB706115A3B28B47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:21.818{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C105-6156-D400-000000000002}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:21.818{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:21.818{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:21.818{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:21.818{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:21.818{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C105-6156-D400-000000000002}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:21.818{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C105-6156-D400-000000000002}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:21.819{5EBD8912-C105-6156-D400-000000000002}5596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001764204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:21.787{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2846A11B775C46198EAEBB0C20E73781,SHA256=F6BE247C57AE1D220E08C34815228E716EFCCBE7F9122CBC9471C7296A92E7C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:21.787{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B3100426CB0DA8F9D978349951E12F3,SHA256=422697257FDE16A505790D178C8F73AB6626AAB01EE659314A743873B85648D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:21.006{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F298AFC7505863F377ADB08031F86D1C,SHA256=6BEF668826C776B91AF52F22EBB80788F590D8D692F4C5012C82F74D2DD391BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:22.105{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D131B1E4EED3F7E674C416863299D8,SHA256=D597B3183419B745C80CC94421B0B77D96BED083F9ECD9E7BEEEF507C03E2E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.834{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2846A11B775C46198EAEBB0C20E73781,SHA256=F6BE247C57AE1D220E08C34815228E716EFCCBE7F9122CBC9471C7296A92E7C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.709{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C106-6156-D600-000000000002}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.709{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.709{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.709{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.709{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C106-6156-D600-000000000002}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.709{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.709{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C106-6156-D600-000000000002}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.710{5EBD8912-C106-6156-D600-000000000002}4816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001764233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.427{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E358BE654E4EE1ABF947584A09C247C3,SHA256=25FEDA16535E866D9DC0A9A64FA9E2E9CD82F73A751E93BEBE966CFC9114775D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.427{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=94015340B9AA11A5D5C3E98D48C7C378,SHA256=7B9FE86DD6A616EE7E132E0F455BA74752B551934E6568A448F95FE98F7FED25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.396{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.396{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.396{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001764228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.365{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2021-09-27 08:51:58.895 23542300x80000000000000001764227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.365{5EBD8912-BFAB-6156-9200-000000000002}4576ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=7708E5C02E72FD8577C0B406A124FF9F,SHA256=C978D3C772F0692A6C9CCE4955C2D044AC52CF957E309254F934E8053DCE0E1C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001764226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.334{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\1.vbs.lnk2021-10-01 07:59:18.333 23542300x80000000000000001764225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.318{5EBD8912-BFAB-6156-9200-000000000002}4576ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\1.vbs.lnkMD5=7C710229826BC1D0DBA3C153C325A521,SHA256=928FFA5ACA2D14E3E7B22508B4888ED62BBD440A9799E896914E19B9907A721C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.318{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C106-6156-D500-000000000002}5428C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.302{5EBD8912-BF43-6156-1600-000000000002}12961512C:\Windows\system32\svchost.exe{5EBD8912-C106-6156-D500-000000000002}5428C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.302{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-C106-6156-D500-000000000002}5428C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.256{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-C106-6156-D500-000000000002}5428C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.256{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.256{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.256{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.256{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.256{5EBD8912-BFAB-6156-9200-000000000002}45764480C:\Windows\Explorer.EXE{5EBD8912-C106-6156-D500-000000000002}5428C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+18cf2c|C:\Windows\System32\SHELL32.dll+18cc83|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.259{5EBD8912-C106-6156-D500-000000000002}5428C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\1.vbs" C:\Temp\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075,IMPHASH=661A40859BC6D47752E9FC5E02C1862C{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000001764214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.037{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B9342A9C317FC5F077DB8C0748167F,SHA256=13C674B421A1BD425651DFAC70D871B83384F3DD30AEE30869CCD11A6ECBEDB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.021{5EBD8912-C105-6156-D400-000000000002}55965592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001670011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:23.121{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD2A8F2863B6DE625B8DDB44D140461,SHA256=101D877713E062D90476BD0F7A058B50B56201361580A7024EDFB92E8C53BEAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.912{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.912{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.912{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.912{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.912{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.912{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.912{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.912{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.912{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.318{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E358BE654E4EE1ABF947584A09C247C3,SHA256=25FEDA16535E866D9DC0A9A64FA9E2E9CD82F73A751E93BEBE966CFC9114775D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:21.035{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61882-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001764274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:21.035{5EBD8912-BF53-6156-2300-000000000002}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61882-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 10341000x80000000000000001764273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.146{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D800-000000000002}5924C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.146{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D800-000000000002}5924C:\Windows\SYSWOW64\WSCRIPT.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.146{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D800-000000000002}5924C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.099{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.099{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.099{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.099{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-C107-6156-D800-000000000002}5924C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.099{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.099{5EBD8912-C106-6156-D500-000000000002}54285920C:\Windows\System32\WScript.exe{5EBD8912-C107-6156-D800-000000000002}5924C:\Windows\SYSWOW64\WSCRIPT.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.109{5EBD8912-C107-6156-D800-000000000002}5924C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\1.vbs"C:\Temp\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=4F021FB3CBD3023D2E20F69176E00099,SHA256=D63ADCCC897B7F74FE56170446D100C7C0F740A6CF01AD17913409581F392E74,IMPHASH=63ECF92956704DAB3E8ACC4116ED9C44{5EBD8912-C106-6156-D500-000000000002}5428C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\1.vbs" 23542300x80000000000000001764263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.099{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=740FE40A25BE0BC438007FEA17F17226,SHA256=C98F8E9F12D96B4B6AC9AC7325C295E2BFE4C9B868A3BD6EFE18D8518D89AF6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.099{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-C106-6156-D500-000000000002}5428C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.099{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-C106-6156-D500-000000000002}5428C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.068{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.068{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.068{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.068{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.068{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.068{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.068{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.068{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.068{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.068{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.068{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.037{5EBD8912-BF43-6156-1600-000000000002}12965712C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.021{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.006{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.006{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C107-6156-D700-000000000002}5808C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.006{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.006{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:23.006{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.974{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C108-6156-DB00-000000000002}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.974{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.974{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.974{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.974{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.974{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C108-6156-DB00-000000000002}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.974{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C108-6156-DB00-000000000002}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.975{5EBD8912-C108-6156-DB00-000000000002}5512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001764310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.490{5EBD8912-C108-6156-DA00-000000000002}59005864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001764309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1122SetValue2021-10-01 08:04:24.318{5EBD8912-C108-6156-D900-000000000002}5832C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll 10341000x80000000000000001764308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.318{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-C108-6156-D900-000000000002}5832C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.318{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-C108-6156-D900-000000000002}5832C:\Windows\SysWOW64\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.302{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C108-6156-DA00-000000000002}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.302{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.302{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.302{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.302{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.302{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C108-6156-DA00-000000000002}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.302{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C108-6156-DA00-000000000002}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.303{5EBD8912-C108-6156-DA00-000000000002}5900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001764298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:22.020{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61883-false10.0.1.12-8000- 10341000x80000000000000001764297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.162{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-C108-6156-D900-000000000002}5832C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.146{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.146{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.146{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.146{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.146{5EBD8912-C107-6156-D800-000000000002}59245912C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-C108-6156-D900-000000000002}5832C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+12425f(wow64)|C:\Windows\System32\windows.storage.dll+123f7f(wow64)|C:\Windows\System32\windows.storage.dll+123cc7(wow64)|C:\Windows\System32\windows.storage.dll+124cb5(wow64)|C:\Windows\System32\windows.storage.dll+123af1(wow64)|C:\Windows\System32\windows.storage.dll+125eba(wow64)|C:\Windows\System32\windows.storage.dll+1262b7(wow64)|C:\Windows\System32\windows.storage.dll+1258e5(wow64)|C:\Windows\System32\SHELL32.dll+18be24(wow64)|C:\Windows\System32\SHELL32.dll+18bcfe(wow64)|C:\Windows\System32\SHELL32.dll+1ad61a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x80000000000000001764291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.159{5EBD8912-C108-6156-D900-000000000002}5832C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll"C:\Temp\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467,IMPHASH=D053774A49BA83FF54C68888CB687C6C{5EBD8912-C107-6156-D800-000000000002}5924C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\1.vbs" 10341000x80000000000000001764290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.146{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-C107-6156-D800-000000000002}5924C:\Windows\SYSWOW64\WSCRIPT.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.146{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-C107-6156-D800-000000000002}5924C:\Windows\SYSWOW64\WSCRIPT.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.084{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A25C2E6EBC310AE7728913F7F578AE0B,SHA256=15859BEB3C89F56020EFDCA5D93F99B67E6B625BDBFB29764FDB9BF7F541815B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:24.136{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=380EBEA8A89856713D6CEF86BEC50C46,SHA256=DD9D58FEDE7096CCA5A42530753C23397556618014E527C89D8AD40CFA670936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:24.021{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D08E623E28285CE9EE70AD3297679A41,SHA256=D0608AC3432454686967EBB8D2C845D5215D8555F08E4A4E4D17F21464E38C7D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001764286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:04:24.006{5EBD8912-C107-6156-D800-000000000002}5924C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll2021-10-01 08:04:24.006 23542300x80000000000000001764321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:25.271{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2965C3BEFB499BBDA8F61C1384CEA91,SHA256=5F2E2273C4AEAD6D0E9B3A36D204AEA67C7206D2DD751C79D81338AC3F358B27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:25.271{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B956B4970C8F228DB44E2FF8189B4D98,SHA256=E83C8CF886036A92DFAAF3C41A3F6F52169A58E7C49D2641634B914AFF94AC67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:25.131{5EBD8912-C108-6156-DB00-000000000002}55125548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001670013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:25.151{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C87008DC6A0E71B19E0EA71F28250BC,SHA256=9F931EC5BBD8E662477A3852C105B5AE4331633051C15617E273948C2EFE181A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.474{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-C10A-6156-DD00-000000000002}4124C:\Windows\winhlp32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.474{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-C10A-6156-DD00-000000000002}4124C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001764349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1122SetValue2021-10-01 08:04:26.459{5EBD8912-C10A-6156-DE00-000000000002}5980C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll 10341000x80000000000000001764348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.459{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-C10A-6156-DE00-000000000002}5980C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.459{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-C10A-6156-DE00-000000000002}5980C:\Windows\SysWOW64\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.427{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.427{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.427{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.427{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.427{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-C10A-6156-DE00-000000000002}5980C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.427{5EBD8912-C107-6156-D800-000000000002}59244588C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-C10A-6156-DE00-000000000002}5980C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+12425f(wow64)|C:\Windows\System32\windows.storage.dll+123f7f(wow64)|C:\Windows\System32\windows.storage.dll+123cc7(wow64)|C:\Windows\System32\windows.storage.dll+124cb5(wow64)|C:\Windows\System32\windows.storage.dll+123af1(wow64)|C:\Windows\System32\windows.storage.dll+125eba(wow64)|C:\Windows\System32\windows.storage.dll+1262b7(wow64)|C:\Windows\System32\windows.storage.dll+1258e5(wow64)|C:\Windows\System32\SHELL32.dll+18be24(wow64)|C:\Windows\System32\SHELL32.dll+18bcfe(wow64)|C:\Windows\System32\SHELL32.dll+1ad61a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x80000000000000001764340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.428{5EBD8912-C10A-6156-DE00-000000000002}5980C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll"C:\Temp\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467,IMPHASH=D053774A49BA83FF54C68888CB687C6C{5EBD8912-C107-6156-D800-000000000002}5924C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\1.vbs" 10341000x80000000000000001764339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.412{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.412{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.412{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.412{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.412{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-C10A-6156-DD00-000000000002}4124C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.412{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-C10A-6156-DD00-000000000002}4124C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005C20169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll+155b(wow64)|UNKNOWN(00000000005065C8) 154100x80000000000000001764333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.418{5EBD8912-C10A-6156-DD00-000000000002}4124C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Temp\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E,IMPHASH=5497DA35A50C4F06BF55433E33516141{5EBD8912-C107-6156-D800-000000000002}5924C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\1.vbs" 23542300x80000000000000001764332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.240{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=44DAAA02F3311F831C95E52FAB87B77E,SHA256=0809807E7082205EA4B004629809FECF54673FFF1C6C180C217FB1762E1BCBBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.193{5EBD8912-C10A-6156-DC00-000000000002}41085936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.146{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2486DE223A38B796F62BDD9FDF45E372,SHA256=22789D9A7C0FDFEDA060E8FABC2FE88F9ED755A190AAC66694B0718B0B30EBE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:26.167{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E4AD4D2D3E531ACB6C3CA52C6B80D3F,SHA256=B47AEACA03B34E899A67EBE35E1C62912CC95F71B5B7E7881C9D0BEE2D1CCC93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.021{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C10A-6156-DC00-000000000002}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.006{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.006{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.006{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.006{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.006{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C10A-6156-DC00-000000000002}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.006{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C10A-6156-DC00-000000000002}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.006{5EBD8912-C10A-6156-DC00-000000000002}4108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001764361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:27.693{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C10B-6156-DF00-000000000002}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:27.693{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:27.693{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:27.693{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:27.693{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:27.693{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C10B-6156-DF00-000000000002}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:27.693{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C10B-6156-DF00-000000000002}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:27.694{5EBD8912-C10B-6156-DF00-000000000002}5560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001764353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:27.396{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=841B2F6FF0411FF7FBE7A9AFFCEBD9A5,SHA256=C3428EA92CC863358DBA82D23072B36ABEF9B69EE42AEA6750F8A392DE4FF193,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:26.581{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49814-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:27.401{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3276CBDCEAD2637F75CB0975F76B8CBF,SHA256=97A9B9304C647DEEFF86313F47CCD4CC3BCBBA7D040B948320E0C87F8E1066D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:27.052{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AB0BE8308BC0260879973073668F37C,SHA256=69ED27D15DA7AF4813A7EEE33EC85F6D4BA4205EE87ADB1276B5C30F424B7F35,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001764381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:26.524{5EBD8912-C10A-6156-DD00-000000000002}4124snackebay.ddns.net046.43.90.184;C:\Windows\winhlp32.exe 13241300x80000000000000001764380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1122SetValue2021-10-01 08:04:28.724{5EBD8912-C10C-6156-E100-000000000002}5556C:\Windows\SysWOW64\regsvr32.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\(Default)C:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll 10341000x80000000000000001764379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:28.724{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-C10C-6156-E100-000000000002}5556C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:28.724{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-C10C-6156-E100-000000000002}5556C:\Windows\SysWOW64\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:28.709{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5758F37FDC51461E09C064810EC59BC,SHA256=D1119C4AA501CE2DD4F29523162A86FCE99047955095ED21F21393A0BFB65797,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:28.693{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:28.693{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:28.693{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:28.693{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:28.693{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-C10C-6156-E100-000000000002}5556C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:28.693{5EBD8912-C107-6156-D800-000000000002}59245608C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-C10C-6156-E100-000000000002}5556C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+12425f(wow64)|C:\Windows\System32\windows.storage.dll+123f7f(wow64)|C:\Windows\System32\windows.storage.dll+123cc7(wow64)|C:\Windows\System32\windows.storage.dll+124cb5(wow64)|C:\Windows\System32\windows.storage.dll+123af1(wow64)|C:\Windows\System32\windows.storage.dll+125eba(wow64)|C:\Windows\System32\windows.storage.dll+1262b7(wow64)|C:\Windows\System32\windows.storage.dll+1258e5(wow64)|C:\Windows\System32\SHELL32.dll+18be24(wow64)|C:\Windows\System32\SHELL32.dll+18bcfe(wow64)|C:\Windows\System32\SHELL32.dll+1ad61a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x80000000000000001764370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:28.705{5EBD8912-C10C-6156-E100-000000000002}5556C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll"C:\Temp\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467,IMPHASH=D053774A49BA83FF54C68888CB687C6C{5EBD8912-C107-6156-D800-000000000002}5924C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\1.vbs" 10341000x80000000000000001764369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:28.693{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:28.693{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:28.693{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:28.693{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:28.693{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-C10C-6156-E000-000000000002}4364C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:28.693{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-C10C-6156-E000-000000000002}4364C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005D30169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000000505EA8) 154100x80000000000000001764363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:28.696{5EBD8912-C10C-6156-E000-000000000002}4364C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Temp\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E,IMPHASH=5497DA35A50C4F06BF55433E33516141{5EBD8912-C107-6156-D800-000000000002}5924C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\1.vbs" 23542300x80000000000000001764362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:28.412{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F744B7BC6A5D689D684DA4087724EBBE,SHA256=CE64176E32875AA086C41B060C82EAB0B1AAB0E234ABA23AB490482B7DE86DF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:28.619{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4400CAF8EA9E9B1CABAA23CF712EFEEF,SHA256=3C92862E7817F8BDDAB6DC6E812B4E8382B9ABA93320D996137F73855C0DE803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:29.474{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D601516E399C9AC89CD3ED43838FDE,SHA256=C96DAD93CA899B5F109B08C0B4620F5598D54F81EAA5D2B14E04A04883A4EE4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:29.635{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63DC68DF32B80780DDADABCB8F88956,SHA256=F79586332F850FF6308A7E635DA55B1754DEC55CEED2213455FB46BD77947B68,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:27.191{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61885-false10.0.1.12-8000- 23542300x80000000000000001670019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:30.853{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF83DD485E81794330403821316C526A,SHA256=9A8488B627CFCC42D960DE7CD7E17ECF7715A85A96F28CEBACF46CD780905EEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:30.943{5EBD8912-BF41-6156-0A00-000000000002}6282712C:\Windows\system32\services.exe{5EBD8912-C10E-6156-E400-000000000002}5108C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:30.943{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C10E-6156-E400-000000000002}5108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:30.943{5EBD8912-BF41-6156-0A00-000000000002}628724C:\Windows\system32\services.exe{5EBD8912-C10E-6156-E400-000000000002}5108C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+17f9d|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:30.943{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:30.943{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:30.943{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:30.943{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:30.943{5EBD8912-C10E-6156-E200-000000000002}61246136C:\Windows\winhlp32.exe{5EBD8912-C10E-6156-E300-000000000002}6108C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6614|C:\Windows\System32\wow64.dll+25bce|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|UNKNOWN(0000000077E6EF6C)|UNKNOWN(0000000077EECF02)|UNKNOWN(0000000077EAF19A)|UNKNOWN(0000000077EAE602)|UNKNOWN(0000000077EAE24A)|UNKNOWN(0000000077EA67D2)|UNKNOWN(0000000077E67FC0) 10341000x80000000000000001764391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:30.927{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:30.927{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:30.927{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:30.927{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:30.927{5EBD8912-BFA9-6156-8100-000000000002}37161076C:\Windows\system32\csrss.exe{5EBD8912-C10E-6156-E200-000000000002}6124C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:30.927{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-C10E-6156-E200-000000000002}6124C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|UNKNOWN(0000000005EB0169)|C:\Windows\System32\USER32.dll+d30a(wow64)|C:\Windows\System32\USER32.dll+c997(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\dynwrapx.dll+155b(wow64)|UNKNOWN(0000000006C336E0) 154100x80000000000000001764385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:30.931{5EBD8912-C10E-6156-E200-000000000002}6124C:\Windows\winhlp32.exe10.0.14393.0 (rs1_release.160715-1616)Windows Winhlp32 StubMicrosoft® Windows® Operating SystemMicrosoft CorporationWINHLP32.EXE"C:\Windows\winhlp32.exe"C:\Temp\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=9328E170E5407D9DDE7EB1E208A2CBB4,SHA256=B32AD4D55CD16563908C3AD06B38020FDC9679FBF1BF8EDFFE747EE4122AF62E,IMPHASH=5497DA35A50C4F06BF55433E33516141{5EBD8912-C107-6156-D800-000000000002}5924C:\Windows\SysWOW64\wscript.exe"C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Temp\1.vbs" 23542300x80000000000000001764384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:30.506{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B99AEB402E2E5389A068D06DCBAD153,SHA256=B9DAC486AD9A4D25493BC3D56F2986E5518A4BA54D8B0C62B23BBA48C9AB3FE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.943{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFC17258960BC49040376BBBECA967F0,SHA256=5DB70DEB86079D31543530C0B4A51F8665EF5DDEF74D675D4D5DA9A5DEF0A3C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.521{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DD84BD619B4F423782657E15FEC23C,SHA256=CFD29FBBFB0D861B19117C9E1E6550B74291392021CC01CD385AE592A786676F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.131{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D852B65375F8022083D185314D4A67,SHA256=99B8620FB5147C4C5D20AA8315B1460A19FA0B022337433D81D62DE0BBFE9351,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.115{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-C10E-6156-E200-000000000002}6124C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\kernelbase.dll+221bd|C:\Windows\system32\winsrv.DLL+ca9c|C:\Windows\system32\winsrv.DLL+e3bc|C:\Windows\SYSTEM32\CSRSRV.dll+80f0|C:\Windows\SYSTEM32\CSRSRV.dll+782b|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.115{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-C10E-6156-E200-000000000002}6124C:\Windows\winhlp32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\kernelbase.dll+221bd|C:\Windows\system32\winsrv.DLL+e279|C:\Windows\SYSTEM32\CSRSRV.dll+80f0|C:\Windows\SYSTEM32\CSRSRV.dll+782b|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.099{5EBD8912-C10F-6156-E500-000000000002}60442848C:\Windows\SysWOW64\WerFault.exe{5EBD8912-C10E-6156-E200-000000000002}6124C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+11555(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001764458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.099{5EBD8912-C10F-6156-E500-000000000002}60442848C:\Windows\SysWOW64\WerFault.exe{5EBD8912-C10E-6156-E200-000000000002}6124C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\SYSTEM32\ntdll.dll+a99ac(wow64)|C:\Windows\System32\KERNEL32.DLL+33dd3(wow64)|C:\Windows\System32\KERNEL32.DLL+2b6b1(wow64)|C:\Windows\System32\faultrep.dll+13a39(wow64)|C:\Windows\System32\faultrep.dll+e2ff(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001764457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.099{5EBD8912-C10F-6156-E500-000000000002}60442848C:\Windows\SysWOW64\WerFault.exe{5EBD8912-C10E-6156-E200-000000000002}6124C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11426(wow64)|C:\Windows\System32\faultrep.dll+1151d(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001764456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.099{5EBD8912-C10F-6156-E500-000000000002}60442848C:\Windows\SysWOW64\WerFault.exe{5EBD8912-C10E-6156-E200-000000000002}6124C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\faultrep.dll+27043(wow64)|C:\Windows\System32\faultrep.dll+12080(wow64)|C:\Windows\System32\faultrep.dll+defa(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001764455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.099{5EBD8912-C10F-6156-E500-000000000002}60442848C:\Windows\SysWOW64\WerFault.exe{5EBD8912-C10E-6156-E200-000000000002}6124C:\Windows\winhlp32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+158bab(wow64)|C:\Windows\System32\faultrep.dll+11157(wow64)|C:\Windows\System32\faultrep.dll+de46(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001764454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.099{5EBD8912-C10F-6156-E500-000000000002}60442848C:\Windows\SysWOW64\WerFault.exe{5EBD8912-C10E-6156-E200-000000000002}6124C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\faultrep.dll+dde4(wow64)|C:\Windows\System32\faultrep.dll+d2f2(wow64)|C:\Windows\SysWOW64\WerFault.exe+16f07|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001764453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.099{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-C10F-6156-E500-000000000002}6044C:\Windows\SysWOW64\WerFault.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.099{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-C10F-6156-E500-000000000002}6044C:\Windows\SysWOW64\WerFault.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.099{5EBD8912-C10F-6156-E500-000000000002}60442848C:\Windows\SysWOW64\WerFault.exe{5EBD8912-C10E-6156-E200-000000000002}6124C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16ecf|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001764450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.099{5EBD8912-C10F-6156-E500-000000000002}60442848C:\Windows\SysWOW64\WerFault.exe{5EBD8912-C10E-6156-E200-000000000002}6124C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\SysWOW64\WerFault.exe+16e14|C:\Windows\SysWOW64\WerFault.exe+6451|C:\Windows\SysWOW64\WerFault.exe+23a2f|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x80000000000000001764449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.084{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+176489(wow64)|C:\Windows\System32\SHELL32.dll+175f9c(wow64)|C:\Windows\System32\SHELL32.dll+43fb52(wow64)|C:\Windows\System32\SHELL32.dll+43ea24(wow64)|C:\Windows\System32\SHELL32.dll+43e050(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+5004de(wow64)|C:\Windows\System32\SHELL32.dll+4ff6e9(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x80000000000000001764448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.084{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+17640a(wow64)|C:\Windows\System32\SHELL32.dll+175f9c(wow64)|C:\Windows\System32\SHELL32.dll+43fb52(wow64)|C:\Windows\System32\SHELL32.dll+43ea24(wow64)|C:\Windows\System32\SHELL32.dll+43e050(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+5004de(wow64)|C:\Windows\System32\SHELL32.dll+4ff6e9(wow64)|C:\Windows\System32\OLEAUT32.dll+3c45f(wow64)|C:\Windows\System32\OLEAUT32.dll+1f254(wow64)|C:\Windows\System32\OLEAUT32.dll+1fcdd(wow64) 10341000x80000000000000001764447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.084{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+1763f5(wow64)|C:\Windows\System32\SHELL32.dll+175f9c(wow64)|C:\Windows\System32\SHELL32.dll+43fb52(wow64)|C:\Windows\System32\SHELL32.dll+43ea24(wow64)|C:\Windows\System32\SHELL32.dll+43e050(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+5004de(wow64) 10341000x80000000000000001764446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.084{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+1763f5(wow64)|C:\Windows\System32\SHELL32.dll+175f9c(wow64)|C:\Windows\System32\SHELL32.dll+43fb52(wow64)|C:\Windows\System32\SHELL32.dll+43ea24(wow64)|C:\Windows\System32\SHELL32.dll+43e050(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+5004de(wow64)|C:\Windows\System32\SHELL32.dll+4ff6e9(wow64) 10341000x80000000000000001764445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.068{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b21c(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+109a5f(wow64)|C:\Windows\System32\windows.storage.dll+109733(wow64)|C:\Windows\System32\SHELL32.dll+4412e1(wow64)|C:\Windows\System32\SHELL32.dll+43fa75(wow64)|C:\Windows\System32\SHELL32.dll+43ea24(wow64)|C:\Windows\System32\SHELL32.dll+43e050(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+5004de(wow64) 10341000x80000000000000001764444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.068{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b14f(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+109a5f(wow64)|C:\Windows\System32\windows.storage.dll+109733(wow64)|C:\Windows\System32\SHELL32.dll+4412e1(wow64)|C:\Windows\System32\SHELL32.dll+43fa75(wow64)|C:\Windows\System32\SHELL32.dll+43ea24(wow64)|C:\Windows\System32\SHELL32.dll+43e050(wow64)|C:\Windows\System32\shlwapi.dll+2d92a(wow64)|C:\Windows\System32\SHELL32.dll+5004de(wow64) 10341000x80000000000000001764443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.068{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+109a5f(wow64)|C:\Windows\System32\windows.storage.dll+109733(wow64)|C:\Windows\System32\SHELL32.dll+4412e1(wow64)|C:\Windows\System32\SHELL32.dll+43fa75(wow64) 10341000x80000000000000001764442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.068{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+109a5f(wow64)|C:\Windows\System32\windows.storage.dll+109733(wow64)|C:\Windows\System32\SHELL32.dll+4412e1(wow64)|C:\Windows\System32\SHELL32.dll+43fa75(wow64)|C:\Windows\System32\SHELL32.dll+43ea24(wow64) 10341000x80000000000000001764441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.068{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+176489(wow64)|C:\Windows\System32\SHELL32.dll+175f9c(wow64)|C:\Windows\System32\SHELL32.dll+16ea9d(wow64)|C:\Windows\System32\windows.storage.dll+1d012e(wow64)|C:\Windows\System32\windows.storage.dll+1cfca2(wow64)|C:\Windows\System32\windows.storage.dll+109fcd(wow64)|C:\Windows\System32\windows.storage.dll+1098c9(wow64)|C:\Windows\System32\windows.storage.dll+109733(wow64)|C:\Windows\System32\SHELL32.dll+4412e1(wow64)|C:\Windows\System32\SHELL32.dll+43fa75(wow64)|C:\Windows\System32\SHELL32.dll+43ea24(wow64) 10341000x80000000000000001764440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.068{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+17640a(wow64)|C:\Windows\System32\SHELL32.dll+175f9c(wow64)|C:\Windows\System32\SHELL32.dll+16ea9d(wow64)|C:\Windows\System32\windows.storage.dll+1d012e(wow64)|C:\Windows\System32\windows.storage.dll+1cfca2(wow64)|C:\Windows\System32\windows.storage.dll+109fcd(wow64)|C:\Windows\System32\windows.storage.dll+1098c9(wow64)|C:\Windows\System32\windows.storage.dll+109733(wow64)|C:\Windows\System32\SHELL32.dll+4412e1(wow64)|C:\Windows\System32\SHELL32.dll+43fa75(wow64)|C:\Windows\System32\SHELL32.dll+43ea24(wow64) 10341000x80000000000000001764439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.068{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+1763f5(wow64)|C:\Windows\System32\SHELL32.dll+175f9c(wow64)|C:\Windows\System32\SHELL32.dll+16ea9d(wow64)|C:\Windows\System32\windows.storage.dll+1d012e(wow64)|C:\Windows\System32\windows.storage.dll+1cfca2(wow64)|C:\Windows\System32\windows.storage.dll+109fcd(wow64)|C:\Windows\System32\windows.storage.dll+1098c9(wow64) 10341000x80000000000000001764438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.068{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+1763f5(wow64)|C:\Windows\System32\SHELL32.dll+175f9c(wow64)|C:\Windows\System32\SHELL32.dll+16ea9d(wow64)|C:\Windows\System32\windows.storage.dll+1d012e(wow64)|C:\Windows\System32\windows.storage.dll+1cfca2(wow64)|C:\Windows\System32\windows.storage.dll+109fcd(wow64)|C:\Windows\System32\windows.storage.dll+1098c9(wow64)|C:\Windows\System32\windows.storage.dll+109733(wow64) 10341000x80000000000000001764437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.068{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b21c(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+c4ef5(wow64)|C:\Windows\System32\windows.storage.dll+a515d(wow64)|C:\Windows\System32\windows.storage.dll+27ceb0(wow64)|C:\Windows\System32\SHELL32.dll+16dd2d(wow64)|C:\Windows\System32\SHELL32.dll+16e7c6(wow64)|C:\Windows\System32\windows.storage.dll+1d012e(wow64)|C:\Windows\System32\windows.storage.dll+1cfca2(wow64)|C:\Windows\System32\windows.storage.dll+109fcd(wow64) 10341000x80000000000000001764436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.068{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b14f(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+c4ef5(wow64)|C:\Windows\System32\windows.storage.dll+a515d(wow64)|C:\Windows\System32\windows.storage.dll+27ceb0(wow64)|C:\Windows\System32\SHELL32.dll+16dd2d(wow64)|C:\Windows\System32\SHELL32.dll+16e7c6(wow64)|C:\Windows\System32\windows.storage.dll+1d012e(wow64)|C:\Windows\System32\windows.storage.dll+1cfca2(wow64)|C:\Windows\System32\windows.storage.dll+109fcd(wow64) 10341000x80000000000000001764435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.068{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+c4ef5(wow64)|C:\Windows\System32\windows.storage.dll+a515d(wow64)|C:\Windows\System32\windows.storage.dll+27ceb0(wow64)|C:\Windows\System32\SHELL32.dll+16dd2d(wow64) 10341000x80000000000000001764434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.068{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+c4ef5(wow64)|C:\Windows\System32\windows.storage.dll+a515d(wow64)|C:\Windows\System32\windows.storage.dll+27ceb0(wow64)|C:\Windows\System32\SHELL32.dll+16dd2d(wow64)|C:\Windows\System32\SHELL32.dll+16e7c6(wow64) 23542300x80000000000000001764433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.068{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E2AFF70DFFEEBF2A9DB8BF77CDEA8F,SHA256=24C6C1F33D89B60A8C91B0F27AC639218E055D005D9A909184A5F778C6883A3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.037{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-C10F-6156-E500-000000000002}6044C:\Windows\SysWOW64\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.037{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.037{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.037{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C10F-6156-E500-000000000002}6044C:\Windows\SysWOW64\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.037{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.037{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.037{5EBD8912-C10E-6156-E400-000000000002}51084516C:\Windows\System32\svchost.exe{5EBD8912-C10F-6156-E500-000000000002}6044C:\Windows\SysWOW64\WerFault.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|c:\windows\system32\faultrep.dll+6abb|c:\windows\system32\faultrep.dll+7121|c:\windows\system32\wersvc.dll+b0bc|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.036{5EBD8912-C10F-6156-E500-000000000002}6044C:\Windows\SysWOW64\WerFault.exe10.0.14393.4402 (rs1_release.210426-1725)Windows Problem ReportingMicrosoft® Windows® Operating SystemMicrosoft CorporationWerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6124 -s 80C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=7BD45584299308DAEA16F2221A464A7F,SHA256=55E74A461777651BE95BBBB93835E69974FE8955631D92A3B7BB97504041D1BB,IMPHASH=CABB1BD9C8861200DB46B24A4934E8E8{5EBD8912-C10E-6156-E200-000000000002}6124C:\Windows\winhlp32.exe"C:\Windows\winhlp32.exe" 10341000x80000000000000001764424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.037{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b21c(wow64)|C:\Windows\System32\windows.storage.dll+10aa77(wow64)|C:\Windows\System32\windows.storage.dll+10ab09(wow64)|C:\Windows\System32\windows.storage.dll+10a6d3(wow64)|C:\Windows\System32\windows.storage.dll+10a60f(wow64)|C:\Windows\System32\windows.storage.dll+10a17e(wow64)|C:\Windows\System32\windows.storage.dll+109726(wow64)|C:\Windows\System32\SHELL32.dll+4412e1(wow64)|C:\Windows\System32\SHELL32.dll+43fa75(wow64)|C:\Windows\System32\SHELL32.dll+43ea24(wow64)|C:\Windows\System32\SHELL32.dll+43e050(wow64) 10341000x80000000000000001764423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.037{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b14f(wow64)|C:\Windows\System32\windows.storage.dll+10aa77(wow64)|C:\Windows\System32\windows.storage.dll+10ab09(wow64)|C:\Windows\System32\windows.storage.dll+10a6d3(wow64)|C:\Windows\System32\windows.storage.dll+10a60f(wow64)|C:\Windows\System32\windows.storage.dll+10a17e(wow64)|C:\Windows\System32\windows.storage.dll+109726(wow64)|C:\Windows\System32\SHELL32.dll+4412e1(wow64)|C:\Windows\System32\SHELL32.dll+43fa75(wow64)|C:\Windows\System32\SHELL32.dll+43ea24(wow64)|C:\Windows\System32\SHELL32.dll+43e050(wow64) 10341000x80000000000000001764422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.037{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10aa77(wow64)|C:\Windows\System32\windows.storage.dll+10ab09(wow64)|C:\Windows\System32\windows.storage.dll+10a6d3(wow64)|C:\Windows\System32\windows.storage.dll+10a60f(wow64)|C:\Windows\System32\windows.storage.dll+10a17e(wow64)|C:\Windows\System32\windows.storage.dll+109726(wow64) 10341000x80000000000000001764421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.037{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10aa77(wow64)|C:\Windows\System32\windows.storage.dll+10ab09(wow64)|C:\Windows\System32\windows.storage.dll+10a6d3(wow64)|C:\Windows\System32\windows.storage.dll+10a60f(wow64)|C:\Windows\System32\windows.storage.dll+10a17e(wow64)|C:\Windows\System32\windows.storage.dll+109726(wow64)|C:\Windows\System32\SHELL32.dll+4412e1(wow64) 10341000x80000000000000001764420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.037{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b21c(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+108221(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+106462(wow64)|C:\Windows\System32\windows.storage.dll+105dc0(wow64)|C:\Windows\System32\windows.storage.dll+1079d4(wow64)|C:\Windows\System32\windows.storage.dll+10c7e0(wow64)|C:\Windows\System32\windows.storage.dll+10a5ab(wow64)|C:\Windows\System32\windows.storage.dll+10a17e(wow64) 10341000x80000000000000001764419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.037{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b14f(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+108221(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+106462(wow64)|C:\Windows\System32\windows.storage.dll+105dc0(wow64)|C:\Windows\System32\windows.storage.dll+1079d4(wow64)|C:\Windows\System32\windows.storage.dll+10c7e0(wow64)|C:\Windows\System32\windows.storage.dll+10a5ab(wow64)|C:\Windows\System32\windows.storage.dll+10a17e(wow64) 10341000x80000000000000001764418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.037{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+108221(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+106462(wow64)|C:\Windows\System32\windows.storage.dll+105dc0(wow64) 10341000x80000000000000001764417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.037{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+108221(wow64)|C:\Windows\System32\windows.storage.dll+2da5ef(wow64)|C:\Windows\System32\windows.storage.dll+106462(wow64)|C:\Windows\System32\windows.storage.dll+105dc0(wow64)|C:\Windows\System32\windows.storage.dll+1079d4(wow64) 10341000x80000000000000001764416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.037{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b21c(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+4a018c(wow64)|C:\Windows\System32\windows.storage.dll+2e3758(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+106462(wow64)|C:\Windows\System32\windows.storage.dll+105dc0(wow64)|C:\Windows\System32\windows.storage.dll+1079d4(wow64)|C:\Windows\System32\windows.storage.dll+10c7e0(wow64)|C:\Windows\System32\windows.storage.dll+10a5ab(wow64) 10341000x80000000000000001764415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.037{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b14f(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+4a018c(wow64)|C:\Windows\System32\windows.storage.dll+2e3758(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+106462(wow64)|C:\Windows\System32\windows.storage.dll+105dc0(wow64)|C:\Windows\System32\windows.storage.dll+1079d4(wow64)|C:\Windows\System32\windows.storage.dll+10c7e0(wow64)|C:\Windows\System32\windows.storage.dll+10a5ab(wow64) 10341000x80000000000000001764414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.037{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+4a018c(wow64)|C:\Windows\System32\windows.storage.dll+2e3758(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+106462(wow64) 10341000x80000000000000001764413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.037{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+4a018c(wow64)|C:\Windows\System32\windows.storage.dll+2e3758(wow64)|C:\Windows\System32\windows.storage.dll+2da3d9(wow64)|C:\Windows\System32\windows.storage.dll+106462(wow64)|C:\Windows\System32\windows.storage.dll+105dc0(wow64) 10341000x80000000000000001764412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.021{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-C10E-6156-E400-000000000002}5108C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.021{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-C10E-6156-E400-000000000002}5108C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001764410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT10232021-10-01 08:04:31.021{5EBD8912-C107-6156-D800-000000000002}5924C:\Windows\SYSWOW64\WSCRIPT.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.vbs2021-10-01 08:04:31.021 10341000x80000000000000001764409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.021{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b21c(wow64)|C:\Windows\System32\windows.storage.dll+10aa77(wow64)|C:\Windows\System32\windows.storage.dll+10ab09(wow64)|C:\Windows\System32\windows.storage.dll+10a6d3(wow64)|C:\Windows\System32\windows.storage.dll+10a683(wow64)|C:\Windows\System32\windows.storage.dll+10a5f2(wow64)|C:\Windows\System32\windows.storage.dll+10a17e(wow64)|C:\Windows\System32\windows.storage.dll+109726(wow64)|C:\Windows\System32\SHELL32.dll+4412e1(wow64)|C:\Windows\System32\SHELL32.dll+43fa75(wow64)|C:\Windows\System32\SHELL32.dll+43ea24(wow64) 10341000x80000000000000001764408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.021{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b14f(wow64)|C:\Windows\System32\windows.storage.dll+10aa77(wow64)|C:\Windows\System32\windows.storage.dll+10ab09(wow64)|C:\Windows\System32\windows.storage.dll+10a6d3(wow64)|C:\Windows\System32\windows.storage.dll+10a683(wow64)|C:\Windows\System32\windows.storage.dll+10a5f2(wow64)|C:\Windows\System32\windows.storage.dll+10a17e(wow64)|C:\Windows\System32\windows.storage.dll+109726(wow64)|C:\Windows\System32\SHELL32.dll+4412e1(wow64)|C:\Windows\System32\SHELL32.dll+43fa75(wow64)|C:\Windows\System32\SHELL32.dll+43ea24(wow64) 10341000x80000000000000001764407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.021{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10aa77(wow64)|C:\Windows\System32\windows.storage.dll+10ab09(wow64)|C:\Windows\System32\windows.storage.dll+10a6d3(wow64)|C:\Windows\System32\windows.storage.dll+10a683(wow64)|C:\Windows\System32\windows.storage.dll+10a5f2(wow64)|C:\Windows\System32\windows.storage.dll+10a17e(wow64) 10341000x80000000000000001764406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.021{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10aa77(wow64)|C:\Windows\System32\windows.storage.dll+10ab09(wow64)|C:\Windows\System32\windows.storage.dll+10a6d3(wow64)|C:\Windows\System32\windows.storage.dll+10a683(wow64)|C:\Windows\System32\windows.storage.dll+10a5f2(wow64)|C:\Windows\System32\windows.storage.dll+10a17e(wow64)|C:\Windows\System32\windows.storage.dll+109726(wow64) 10341000x80000000000000001764405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.021{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1e3dfa(wow64)|C:\Windows\System32\windows.storage.dll+10ad68(wow64)|C:\Windows\System32\windows.storage.dll+10a6d3(wow64)|C:\Windows\System32\windows.storage.dll+10a683(wow64)|C:\Windows\System32\windows.storage.dll+10a5f2(wow64)|C:\Windows\System32\windows.storage.dll+10a17e(wow64)|C:\Windows\System32\windows.storage.dll+109726(wow64)|C:\Windows\System32\SHELL32.dll+4412e1(wow64)|C:\Windows\System32\SHELL32.dll+43fa75(wow64)|C:\Windows\System32\SHELL32.dll+43ea24(wow64) 10341000x80000000000000001764404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.021{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1e3dec(wow64)|C:\Windows\System32\windows.storage.dll+10ad68(wow64)|C:\Windows\System32\windows.storage.dll+10a6d3(wow64)|C:\Windows\System32\windows.storage.dll+10a683(wow64)|C:\Windows\System32\windows.storage.dll+10a5f2(wow64)|C:\Windows\System32\windows.storage.dll+10a17e(wow64)|C:\Windows\System32\windows.storage.dll+109726(wow64) 10341000x80000000000000001764403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.021{5EBD8912-C107-6156-D800-000000000002}59244656C:\Windows\SYSWOW64\WSCRIPT.EXE{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1e3dec(wow64)|C:\Windows\System32\windows.storage.dll+10ad68(wow64)|C:\Windows\System32\windows.storage.dll+10a6d3(wow64)|C:\Windows\System32\windows.storage.dll+10a683(wow64)|C:\Windows\System32\windows.storage.dll+10a5f2(wow64)|C:\Windows\System32\windows.storage.dll+10a17e(wow64)|C:\Windows\System32\windows.storage.dll+109726(wow64)|C:\Windows\System32\SHELL32.dll+4412e1(wow64) 10341000x80000000000000001764402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.006{5EBD8912-C10E-6156-E400-000000000002}51084516C:\Windows\System32\svchost.exe{5EBD8912-C10E-6156-E200-000000000002}6124C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+b039|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.006{5EBD8912-C10E-6156-E400-000000000002}51084516C:\Windows\System32\svchost.exe{5EBD8912-C10E-6156-E200-000000000002}6124C:\Windows\winhlp32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+ae29|c:\windows\system32\wersvc.dll+8833|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:31.006{5EBD8912-C10E-6156-E400-000000000002}51084516C:\Windows\System32\svchost.exe{5EBD8912-C10E-6156-E200-000000000002}6124C:\Windows\winhlp32.exe0x50C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\wersvc.dll+8a50|c:\windows\system32\wersvc.dll+86ec|c:\windows\system32\wersvc.dll+5a0f|c:\windows\system32\wersvc.dll+5678|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:32.568{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6919EA63D4F09D580B7A4B7C15AF852E,SHA256=EB30F131FC74E6C17876A70F3BB2E175FE4787031BB8AB168B9BB0A17596EB3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:32.087{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5812C9F9CE52A3DB8A2E4EB6FB13F2CD,SHA256=1AAEB5F87A15908A77239532D5BC30911218E4FBF5F0CDA711E01888EF2F5FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:32.052{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1514D9C309C83453ECB095461B62A74D,SHA256=8946342E5AC2F19D5C08DA52F85CD9B596452538CB255ACB77B9162357EFAF95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:32.052{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9BA1D827248E115B59D6D59EB5403F52,SHA256=BED4C4419C6D67EC8E0A4F980DA51EE9BAFD398BB5E0D754FFBFBC72DA26A159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:33.584{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C3374213D2DE1A818F41C8652CB4E2,SHA256=653B1F4E6E493F144DC64FC4A380C2D07C4F592A9F6745554ED0B42EE3C4E7BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:33.259{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFE251ED43198248EAD98644256F2896,SHA256=EF4B4C3949EB31A070F9B3A3CE4290A0885F11D8958E9C9B7B6342BE9E38BC07,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:31.644{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49815-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001764469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:34.615{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC1B56C5A103373326B8C186E01ED6D,SHA256=0D2018DFCD8CA728B515043863282DF812315B749E5BFC7FA57FC8C37B3EF858,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:34.259{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B24FAEEB47824A1ACBEE58FC64031B,SHA256=AF25FCAF22B8CFB69E0B64F7BEC33550E82C7EB0DB93198AB8A2C8F1938E50A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:33.238{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61886-false10.0.1.12-8000- 23542300x80000000000000001764470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:35.646{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F29A24B71D108E7192B4BC31EC55047,SHA256=6B09346AE16A97454FC13A2FAF8724F999047E75D3986A514FEEEBF93E96FB01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:35.274{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C42132DE1BC4B5353242F6A1DE952A,SHA256=5A978C5910F5741DF8515E6337E90285B8FB0B613BED6E01BEAFEBEB4463390E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:36.662{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339FE7F815319966DF54A6115A7C8A44,SHA256=FC2730C1C224DACCB9A28E46934B072B558197F770DFD8E9AB5BCD1677394909,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001670026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:04:36.727{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69a-0xfa0fb8f6) 23542300x80000000000000001670025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:36.289{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B377DD90EB7DCE449448004744DF78BE,SHA256=20C7540E6E0EA29A8262CD4B179671DFDDD2A4F55A4E67568B7BE75F2ED9AF2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:37.709{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F55A0C0F3B2E38A4FD65889344D58E,SHA256=7ACBE28A107690AA3CAB62C479828320A5755E950D26A14D1B437EBF0DE5360F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:37.305{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B069D9519057EE312175991AEB6E3AA1,SHA256=4096E754DE3965AD2727F6D0BCA62BC7DB4CC2B17C70BF2A12F3E382770659C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:38.755{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70CC6ADC3ED06DDB7C0C03C26639BD6C,SHA256=E1FAFF78FDB29782CEF905E80E656134EE712BE40389F34DA5508DFF49B87CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:38.320{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB3B69F65FB12083B7F0149421A05CC,SHA256=406BB9C432AE647BABA97950947FBFE8379568D80B6F3DD5565385E9D8A684A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:39.771{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47917641A492100E752FA671E1E6C8C4,SHA256=232C220B32D7644FFDA4B67EE6D3F605041CC1F5DA0CEED9955FE8AD2AAC6DC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:37.425{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49816-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:39.335{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9BD6B820227C3D4BE431AC0330B253B,SHA256=CC7763529A50BF0C1784122BCB6B84E6B324655F54B2AB166D16A8774C7546CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:40.818{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8492839D6B0EB7F60843AF1AAFD9940,SHA256=E057BE0285D536067DA842DFBF703B396370ED0D45C9119264BB11A6E6BA835C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:40.351{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5620632E396ADFBBD90FDD71764F6D6,SHA256=229FA22E75FE4F602E271C5F5C7AFF157E9F2140D16E573E5E6BF620A9B2095F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:41.834{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC64FE78BF58E1708C242117AF7C064,SHA256=4A1524BA4A8E75F2832362004BADDA13847C9D346445D4D1CCB8AA94BE84117D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:41.366{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391E19DBD0665EC9CA6CEBB75C8531B1,SHA256=2EAF946B7ADF857A523273EE00F81AAE73420EAF7EA6D2D224AB94023E38EB21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:42.849{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007B8780B8000EED29A52961DB416F2A,SHA256=255F7BB738A621223E2751BE34CB0C0EED7D1CCFF1F40CE334CFD0F38E963BE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:42.381{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F307203813C80B71AAF80AA0E5354E,SHA256=7F876853224AA42CBF35956EAB92CE6A99E756262F31A8C9E6A52BF7B9A4584E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:39.175{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61887-false10.0.1.12-8000- 23542300x80000000000000001764480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:43.865{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336CFDB17869C03B787E08E0601E6E98,SHA256=6136661BEAD436D786A95B540A26036B5F1701D539E8A6CA0541F5C7A7240CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:43.397{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32AD075541CC3747F9F3F60DD39427DC,SHA256=EB86B244E086F4DB262A35B923F2056210F6AC0D3D1CCA42C9C66CAC68393FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:44.927{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EACBA2742D0536A055419461603E634,SHA256=8F269DC87EDDD9072271966B845183F8E1554AFCB06504F78CF8BC5F99D5486F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:42.518{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49817-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:44.412{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A20E6E2657C12AC84F4E8AE546C6B046,SHA256=30B3E2B404F0931A7CDE5E562417F3286FE16BE1BE2B770C3519B4ECC672FAA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:45.943{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=371249DFAFE9221E97B868A3B30A7ED3,SHA256=0619C2135E8F82978F4BFC6E366F7348D93C802EF4246AA5DF165937CB1C8D0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:45.428{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3ABA4F4DBF782DF7E0EB0EF00AAD190,SHA256=553303BE481ACED410DA338985802A98C3F9E48DE1F5229F8635F29694A3AC6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:46.959{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=199D9A3C9740B9EBF64AA637B7B0D2A2,SHA256=9569E087DEFC705C731EF61F000111A27EBF9BDB78732501295DD2DEA662F53F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:46.959{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21C8C69F40CBA8C03707DAD10163B422,SHA256=568318F3A80C20474C058E695341D6D3FCE50C9B8A4C2FD343CA62897EC0BD19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:46.943{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080AA9FE01A0BF6E0B2FD7A8B8447CC8,SHA256=F85994D084A05267A9D9AEF6EBF2930F132C89BDCA67AE86DC5BEA28EE046FB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:46.443{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D233D3609184497733A8567CF421BFDF,SHA256=D7D454A2C81D9EFE8E043ED66B4F05E802E1A45FE9D242713AD5350ED0B02FBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:45.175{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61888-false10.0.1.12-8000- 354300x80000000000000001764483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:44.303{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-56318-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001764488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:47.959{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7713568CDFDB89EA6F6C95FAD8662C3,SHA256=8DA5144DA4473A51FCF3E56D1FBBCFA06245F30BCCE0E0B12B1FED117B4247CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:47.458{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AACCF20A57437B9A66754D79F8F5E8DA,SHA256=3523B892CAB67AF662748C5DD4753184212751ED5C7F64F70D7937E3ADEB9181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:48.974{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFFCACBF4B56BC4EE96BA52CF4FE2B40,SHA256=BB5542148B7F852CCBD40FD50FC98A3685F26967FA08399E0470A95B49052848,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:48.817{69CF5F33-BF40-6156-0D00-000000000002}8243748C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:48.817{69CF5F33-BF40-6156-0D00-000000000002}8243748C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:48.817{69CF5F33-BF40-6156-0D00-000000000002}8243748C:\Windows\system32\svchost.exe{69CF5F33-BF43-6156-4300-000000000002}3084C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:48.817{69CF5F33-BF40-6156-0D00-000000000002}8243748C:\Windows\system32\svchost.exe{69CF5F33-BF41-6156-2700-000000000002}2608C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:48.817{69CF5F33-BF40-6156-0D00-000000000002}8243748C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1400-000000000002}756C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:48.817{69CF5F33-BF40-6156-0D00-000000000002}8243748C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1500-000000000002}1172C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:48.817{69CF5F33-BF40-6156-0D00-000000000002}8243748C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:48.817{69CF5F33-BF40-6156-0D00-000000000002}8243748C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1E00-000000000002}1984C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:48.817{69CF5F33-BF40-6156-0D00-000000000002}8243748C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:48.817{69CF5F33-BF40-6156-0D00-000000000002}8243748C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-0E00-000000000002}912C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:48.817{69CF5F33-BF40-6156-0D00-000000000002}8243748C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-0E00-000000000002}912C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:48.817{69CF5F33-BF40-6156-0D00-000000000002}8243748C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1200-000000000002}308C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:48.817{69CF5F33-BF40-6156-0D00-000000000002}8243748C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:48.817{69CF5F33-BF40-6156-0D00-000000000002}8243748C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-0E00-000000000002}912C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:48.817{69CF5F33-BF40-6156-0D00-000000000002}8243748C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1300-000000000002}384C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:48.817{69CF5F33-BF40-6156-0D00-000000000002}8243748C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-0F00-000000000002}948C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:48.817{69CF5F33-BF40-6156-0D00-000000000002}8243748C:\Windows\system32\svchost.exe{69CF5F33-BF3F-6156-0C00-000000000002}740C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001670042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:47.628{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49818-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:48.474{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5518160889A9A74FC6A58086EABFA90,SHA256=696E2E63E00E3F4677F584A7816327BBE105275F658977B74F579D232D818AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:48.224{69CF5F33-BF40-6156-1100-000000000002}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=1B59DD7E4D4CAEE2E088F2565EE8E6A5,SHA256=99D339E978B9283B912664E2E896D20CB11549C88F51109B6D5E2086C3566122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:49.990{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=909E5166D63689E47D59F70FB1706084,SHA256=D189A5C22FAF9C4E7468F5EA1B28EE5EC9B7420040E280ABCF8B83FA59DF8F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:49.489{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28566BE79FBEE475ECFB3763553105B5,SHA256=12D4176E402E814D72AFDC76E5C59FE060B9436B8CC8C6150B3BF2BE62DB6D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:50.504{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396FA00B5FC788A67DC3F8B8BC136D97,SHA256=86B48E7E9DD1F58268C5911A0E6F17C2074FC0BD0B7A4447EC356DFABD70E12F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:51.520{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=704C70EE9C5D6D8EEF29BFCE4477BA73,SHA256=623D31D1E7E5B777ED006603C9914F0F238DEA5A1E412F1CBAF189F7D60C2573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:51.927{5EBD8912-BF43-6156-1200-000000000002}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A7CE12E2FC287A2B7EE34138D9DB9D0B,SHA256=4791F04C43E97EBF77B8E7E546D9292DCE374F3B282EE3432CC91EA9237E7721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:51.052{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8047E3ACBBF421ED3DF52EC3B69B95,SHA256=91C9B67A6EBC46869B0DFBA04348FFD855F325B4A999735C8FBDD5EA1A8A754D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:52.535{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9BE4F702EBA447FBED44EC99262524,SHA256=7AAD650D75C7859D721EC48EE78F350DC37CA38E2B05D6306DDBAF497EA9B454,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:51.222{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61890-false10.0.1.12-8000- 10341000x80000000000000001764518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1100-000000000002}444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1200-000000000002}404C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-0C00-000000000002}844C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-8A00-000000000002}916C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-8A00-000000000002}916C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BFAA-6156-8700-000000000002}3708C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BFA9-6156-8400-000000000002}3856C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-0C00-000000000002}844C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF55-6156-3900-000000000002}3304C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF54-6156-2F00-000000000002}1592C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2800-000000000002}2924C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2D00-000000000002}2256C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1400-000000000002}1064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1500-000000000002}1248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-0E00-000000000002}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-0E00-000000000002}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1000-000000000002}432C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-0E00-000000000002}1004C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.443{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:52.085{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32585AFAD62A5EBD4F263D5444A5502,SHA256=0E9310C1091B114A3645A3B11EC7F872EABC458824563C9DB4559B44AE871F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:53.535{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4415CFA2AAC392ED571B0439C3EF842F,SHA256=C0B4BF1F170B2EE23F09E55F30B980E291B2CE7EBF709E92E793969F7E8F4C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:53.130{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0103BABCD8014B9313ED3737E0F2AEF,SHA256=B622128175C63F5C140E649B3E74BDA9139D27C10897010D4885154B3787D767,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:53.502{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49819-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:54.550{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3954A89C85E6F24B59A83B7ADA19C3E,SHA256=663F87B64D37D991B0F751865FB72E5FF2F150DCAB7B7211D1C116F1D1AE5463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:54.646{5EBD8912-BF53-6156-2C00-000000000002}3016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:54.146{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC14CD5E004FB1BD9EEC64D65E834A1,SHA256=4FF1F58D5AE16CD286BFD2E4E4C21708B8376D7536E370510E085B237E84AAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:55.566{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07D90E14474F56BAE5B543E7A38A3837,SHA256=17C002F9627CAE70847C4EFE990AF9EEE6027A8AE2CCB88C1B4B9088561BF3BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:55.177{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5809B42D2BFF3CC6AA68D7FA3286F52,SHA256=924269B7E4CE84C382E4390B77268A7B7806B758248004C139A2152E633986AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:56.581{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E2F183B59E29C2FE1C0E26C40BB17B,SHA256=813B75573A64C3CB73309A1984D7177FCC68BE951D13E8181D0FCCBA0BEAA1DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:54.628{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61891-false10.0.1.12-8089- 23542300x80000000000000001764524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:56.193{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6EEE1BB38A57205F5C61ED479804A31,SHA256=BC5321B5E90D1B3A77253471E91F97F08B158CE9FB3EC57A2294EAF37F225441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:57.878{69CF5F33-BF40-6156-1A00-000000000002}1872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:57.596{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C3B5AFC7C526EF7D026FE36EA2B143,SHA256=B2964BB451F07BB6638F40DADE204BE0866430E86EA45BFAF567F93ADE0F3CC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:57.209{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=570EC4AB2AB066A7DFBCA2A7F0627206,SHA256=3FCA7B9C02931CDDF1EEA8805BB269B236BC40862E4AC24D1E3228B0EF49950C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:55.631{69CF5F33-BF3D-6156-0100-000000000002}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.15win-host-542.attackrange.local138netbios-dgm 354300x80000000000000001670069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:55.630{69CF5F33-BF3D-6156-0100-000000000002}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-542.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x80000000000000001670073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:58.612{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B821F8C2AF44219407D088C802153FBB,SHA256=3C4667A0AFD9301EFDB25E4EE1E9508F13D0B3D848895542D4E9C7C1AE58E784,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:57.003{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61892-false10.0.1.12-8000- 23542300x80000000000000001764527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:58.224{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD7B4B1D56E37090EACE325442325AD9,SHA256=CB7074B7B44AC810A3D328B2686BDDE067F7E203E558BC8C0CB329146373D037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:59.627{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1A85BA4413BD844AFECD0C47BE04EC,SHA256=450890B9A0752C60E0ED0C843BF622BF7F5B5C639FB4BAC60A5D8D8005A50572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:04:59.240{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BA82DEAED654537AC6FB9B2B9CF4D6,SHA256=B85057D874349A822A36A53C36E922559C1B50D069C6A52F7F9795122CEE4A91,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:58.284{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49820-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x80000000000000001670103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.877{69CF5F33-C12C-6156-AC00-000000000002}28283540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.689{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C12C-6156-AC00-000000000002}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.689{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.689{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.689{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.689{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.689{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.689{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.689{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.689{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.689{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.689{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C12C-6156-AC00-000000000002}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.689{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C12C-6156-AC00-000000000002}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001670090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.690{69CF5F33-C12C-6156-AC00-000000000002}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001670089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.627{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82830B77D23C18DB0D793345DEF0435A,SHA256=DCEC8399777AE2CE104A919B5697179628C960EBAB6D0D693054B0BED1FBA7AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:00.240{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC85040C6EDF489131DF7C4099338A36,SHA256=0545284BD5C9FA311EA14B747978B65BBDEAFD5644AEFE4F6639AA21AA79BEBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.018{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C12C-6156-AB00-000000000002}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.018{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.018{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.018{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.018{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.018{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.018{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.018{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.018{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.018{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.018{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C12C-6156-AB00-000000000002}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.018{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C12C-6156-AB00-000000000002}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001670076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:00.018{69CF5F33-C12C-6156-AB00-000000000002}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001670121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:01.676{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C12D-6156-AD00-000000000002}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:01.676{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:01.676{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:01.676{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:01.676{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:01.676{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:01.676{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:01.676{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:01.676{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:01.676{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:01.676{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C12D-6156-AD00-000000000002}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:01.676{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C12D-6156-AD00-000000000002}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001670109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:01.676{69CF5F33-C12D-6156-AD00-000000000002}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001670108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:01.640{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045CC8BBB6CB2382EFCCAF24CF6D411E,SHA256=F112496EB9BDA14D7F8E2FF495A3403FA9F3F59132B070665F4A00BB5B8E065C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:01.255{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C1889C4809B80FEE20B07308041CC08,SHA256=CC28793B9363DFD847C76939D3227217823270CE4D235FB48FD92ABB414A3787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:01.460{69CF5F33-BF40-6156-1C00-000000000002}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20211001075651-007MD5=E2350FF87285264FC2F693171FD6908F,SHA256=DD0C2B6A4BAA6FC008B19D4F8AE41D7B35D93255AA75D9D1AFF144D5A1F933A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:04:58.581{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49821-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:01.146{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=713EAACB950E62D9812D8E4DA1B9BEB9,SHA256=3F99870274F8FB6D70C23A9BC7D337B6C18509BBF2E469DDD2057D035FAB6E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:01.146{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13F9AC5C5040278E757223CDC352E620,SHA256=ABC1922E4342116D3392EBC4514E74F6DB04EA1B1A01B20068C416A513129EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:02.886{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9299CE9EBBADAB7919F24D977DE0C484,SHA256=76BA01C96891A5F18F7B5AB4094D7D5F81886531817ECFD88E3F7B41ACE1ACF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:02.255{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63A6B6BBFFFC94224112FB4514E0695,SHA256=EB1F45A2ACB2AFDEF65505CD88BD3802EA9D75BAA6DC4C4DCC1397E2EE6140D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:02.699{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=713EAACB950E62D9812D8E4DA1B9BEB9,SHA256=3F99870274F8FB6D70C23A9BC7D337B6C18509BBF2E469DDD2057D035FAB6E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:02.473{69CF5F33-BF40-6156-1C00-000000000002}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20211001075649-008MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:03.982{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B3738FFC238139D0D2A63C50D2EDA4,SHA256=A46744277B5217CE07B858424C1AE211DB1F8A9D7B43D3BE0B2B6517E6294BA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:02.003{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61893-false10.0.1.12-8000- 23542300x80000000000000001764533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:03.271{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4EA24A0E060CA0F53967412410E2083,SHA256=69473C3F37B352D94F013FF11F7E120E5871D040F924E198FE7F67D796637387,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:03.389{69CF5F33-C12F-6156-AE00-000000000002}4020420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:03.248{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C12F-6156-AE00-000000000002}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:03.248{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:03.248{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:03.248{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:03.248{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:03.248{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:03.248{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:03.248{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:03.248{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:03.248{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:03.248{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C12F-6156-AE00-000000000002}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:03.248{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C12F-6156-AE00-000000000002}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001670125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:03.249{69CF5F33-C12F-6156-AE00-000000000002}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001764535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:04.287{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35C0EF510282F377619CEB0E0AADAB9,SHA256=98FD864608B8B1C3B6563CE6C87BF534F517A334CCBF46B45916D3AAAA395323,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.966{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C130-6156-B000-000000000002}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.966{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.966{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.966{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.966{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.966{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.966{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.966{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.966{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.966{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.966{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C130-6156-B000-000000000002}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.966{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C130-6156-B000-000000000002}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001670155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.967{69CF5F33-C130-6156-B000-000000000002}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001670154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.451{69CF5F33-C130-6156-AF00-000000000002}39641188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.295{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C130-6156-AF00-000000000002}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.295{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.295{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.295{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.295{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.295{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.295{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.295{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.295{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.295{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.295{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C130-6156-AF00-000000000002}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.295{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C130-6156-AF00-000000000002}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001670141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.295{69CF5F33-C130-6156-AF00-000000000002}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001670140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:04.279{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5A7CA2F753D5959F8BD7840D93B152A,SHA256=CB63869303FDB9F9F54542AED6D5A2F19A2B266B1863FE1328C33DF3812009A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:05.529{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50C3D9909A381BC0BDF4DF467FADD554,SHA256=4E1601610E75F98822B14DF741E66B7532C378D325C9C33E6AC84543B48D0BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:05.466{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA764E127D22351D9C72F9A4F6EE0B53,SHA256=097EE874E1716F40FDFAB575BCE0C59D6509B15D33324C3A494292A56A62E902,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:05.107{69CF5F33-C130-6156-B000-000000000002}24644048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:05.302{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F75DCD2B45CC6E1C2A616D6912C8A9BB,SHA256=1A0F826C63D1EDBE5298BF9D350208FD0A10A3F23CE43F2013351E947930E797,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001670186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:05:06.982{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69b-0x0c184074) 10341000x80000000000000001670185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:06.544{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C132-6156-B100-000000000002}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:06.544{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:06.544{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:06.544{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:06.544{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:06.544{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:06.544{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:06.544{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:06.544{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:06.544{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:06.544{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C132-6156-B100-000000000002}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:06.544{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C132-6156-B100-000000000002}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001670173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:06.545{69CF5F33-C132-6156-B100-000000000002}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001670172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:06.341{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A999F6663CD562CDD2FF21526C7D6E82,SHA256=2A79FECD4C74C689F73A15429DD24C8A02ABD1D56C4B02DCBE012F8109520BE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:06.318{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ECC79CDB1E5E346AA23D5DE9FD77DDB,SHA256=48FFCFE9F1D65CEBA11DF77A640FD1E79BC853A7601B80F80BE25B09CA9AB454,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:03.608{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49822-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:07.622{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18BF28F45336287AF31082D1A32700FF,SHA256=84BDE73766D7C328B4A99453BB3AB7F115804775036918B821D2ED4DDB8AA519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:07.419{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DD79A9F132F2FF75832AECAC8C9B0A1,SHA256=5EB5EED4270632B8FB7E0F32C9C5AAFAE77CF5AAB73EAFB37D12D6B995E22BEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:07.333{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B730746585ADBFB1CEC316817E7EE30C,SHA256=0225BE1135D8CAD8B792AF04409A64D31EAA1D62208B26C5305C37CFA02EC181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:08.653{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42395E3FBBD94C79C4CB488F2740E756,SHA256=7935AA112876284E5A7DDEBDE4E63AC3E801D5182B331565CE250639329F0F70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:08.333{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFF6BBD17319E423C11DF2870EB0A6C,SHA256=9A6C08634ADA0D54E90BD324885DD552DF7D9D4753510F327C7E6AE5CF8AAF9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:09.731{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9669963C8E7A3FE6C3848CBEEF35CF5E,SHA256=9590E96F88873065D18AC4DFF67ADD502EABD55611C90E5CF1B0A5A13A1E7674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:09.349{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932040F37ECBA681B2C4316C0514F5B3,SHA256=D9FB66875A8D06979A8896FE6E0D219DBCA7FE08521B367B304DFF5EDEA91AFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:07.019{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61894-false10.0.1.12-8000- 23542300x80000000000000001670192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:10.746{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E0F17EF545D7F04D9877D5B2EDDFCB3,SHA256=3D1A44580028A7C01E781BB44F588EEFC6A4700C00F4DD5F3A65CC7A603F7532,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:10.349{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3681299A47E3D4BDB00AD2BC6B113A73,SHA256=38DAD4036F675C5785002B4DBB80264DF319823C416FD3E76C4518BA3AD74C8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:08.640{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49823-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:11.762{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82020C1E74EB95D6880D6C3F291428FD,SHA256=B37BE1EA52926975263FF608FB3C3B08E87F9042E1C9A16C7A23D21320898D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:11.365{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F0CF595278EAF90D3CB7EF8A0792D5,SHA256=C18374C0F5F89773074DBF52DAD2D85B1EC1B859337C0D42F3F941BBBB8F6E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:12.761{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4644F91738EF30E90A31C128700A9799,SHA256=965F86335857BA36C6A8D659964723F662BF17CA81A8EDC85CE0BCB54FB82C00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:12.615{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:12.380{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE813A576DBC2D45F8F428907CEE1B49,SHA256=47395B303108A2611863E978E02466532A040A53280B495ABAA9414A40FB3379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:13.777{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7A99359322853CCF4447B5ABC40729,SHA256=8198255A1FCA9EA021D61957CB588588C9D249E320BBE7844D3F2151C5B0F7F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:13.849{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:13.396{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C79649BE4BB492C2E416CA4633ABD1EF,SHA256=57199B2E6612010E755597E04A03CBAC5AF2837C9DA1459701D6544BA0AC0502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:14.792{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA3E0382D5353971A7F9758FBC557C6,SHA256=81B77F3AA5189B806CC73229EC15FAD29347C7FAC214FDBD7BA36EA760359462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:14.412{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5887A790EFD7804293F281A53798348,SHA256=DE9C2E0FBF930E0F0DB07CC1D09034851F6CC1C4A0A2978023243F9EB7014FDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:12.097{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61896-false10.0.1.12-8000- 23542300x80000000000000001670198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:15.807{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC2116BB3CA1C11363E76869E5EEE1E,SHA256=69435E7BD04581BC3A9FD77CAC2B377883B7EE3CF694CCE55FC30AC4F77A8624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:15.427{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=142F0E21809846FA544018BE57310EBB,SHA256=1614E77CA9D836D6EAD092ED4AA3675A22CD16E4AAE3D3B1AD0FB62D4EC0095C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:13.686{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49824-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:16.823{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC70CDB9B740A1775304ADF0C23A582,SHA256=5443D519FEA842F4D144D2BDD67C968C0BC4479F4297AFEA31D4AA1EF4C1A152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:16.443{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=327EFC5B10941D307FD09F0C8EC5E754,SHA256=93F25AC46C9D3DFB8E9E3357B551C9C13D31AAA657712C5E1A287ACEFA97D982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:17.838{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46F19FCE794892232B449D190628425,SHA256=8111C21E35CA72E6C6E62634966A44F61BC6FA21C93DE1038DC8D81FFF28026F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:17.443{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76FEB2BAC9472EDB9EB952DD09D5483A,SHA256=9E6D2B466A52F8691143CC402516E80B9BC542FA4B540558F69204594C86D045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:18.854{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BB09D6EA0B897921356FDB0C637F2B,SHA256=D0E02A1313ACA22D10E07468CBC8C134281510834CC03ED21C90AE2FC29C3304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:18.458{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8DB274FAF703DD5E5824CBC001EAA5,SHA256=23D7EFCD3FC3F74E3B5CAB526F89430C1CD80DCEB1E0E722B752B85F1B6760A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:19.869{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D8D27BCD342AB83FD3B986013D271F,SHA256=073455A242EB74DD1AD6DAF03B91A86A3FB8F07D0467EBCBE999A0331136557F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:19.474{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D9DF2896619F9CA51DF89BA88FFEB88,SHA256=00B409EA94115B2A15BE4F18472673207E8757B76FBF6EB690FCA496E53470D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:17.238{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61897-false10.0.1.12-8000- 23542300x80000000000000001670203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:20.884{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC7B4CCB25F66C4D3D91A99B68440EF,SHA256=D3BC5E5D641B545841C3B1706D75B8782FA1199FBB7FC6D79124D6F2584B5736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:20.920{5EBD8912-BF53-6156-2600-000000000002}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20211001075710-007MD5=E961008872A85D9E7B2EDCDB9076BE5A,SHA256=4C7B4263F3F8553ACCFCCC53A0FA56737D447810FFCB4A43A3BA8D688A9FDFED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:20.742{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C140-6156-E600-000000000002}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:20.742{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:20.742{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:20.742{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:20.742{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:20.742{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C140-6156-E600-000000000002}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:20.742{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C140-6156-E600-000000000002}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:20.618{5EBD8912-C140-6156-E600-000000000002}5784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001764556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:20.477{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1EE89AC261440C6962AF921BE902BA2,SHA256=CCC3B976D3A8ABB062E86D915DBE5F8C3A453362E75EC049EE59E5A302390EFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:21.987{5EBD8912-C141-6156-E700-000000000002}60805592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:21.923{5EBD8912-BF53-6156-2600-000000000002}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20211001075708-008MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:21.746{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C141-6156-E700-000000000002}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:21.746{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:21.746{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:21.746{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:21.746{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:21.746{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C141-6156-E700-000000000002}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:21.746{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C141-6156-E700-000000000002}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:21.748{5EBD8912-C141-6156-E700-000000000002}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001764568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:21.668{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF254FD3096AE76CAEA855155D80A9E3,SHA256=665F98AD561B8793D7DE83D2C7339E089C2A59346D99FFE282D860E6F181A834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:21.668{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=199D9A3C9740B9EBF64AA637B7B0D2A2,SHA256=9569E087DEFC705C731EF61F000111A27EBF9BDB78732501295DD2DEA662F53F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:21.481{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF6032E686208A62EB5C2CD0330F33E0,SHA256=EBE8C34005904D546BAD880957FF7AFC7EBB1D160461C862F26F6C155E8B7DD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:19.483{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49825-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001764592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:22.756{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF254FD3096AE76CAEA855155D80A9E3,SHA256=665F98AD561B8793D7DE83D2C7339E089C2A59346D99FFE282D860E6F181A834,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:22.709{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C142-6156-E800-000000000002}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:22.709{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:22.709{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:22.709{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:22.709{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:22.709{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C142-6156-E800-000000000002}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:22.709{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C142-6156-E800-000000000002}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:22.710{5EBD8912-C142-6156-E800-000000000002}5668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001764583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:22.568{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:22.568{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BFD8-6156-A100-000000000002}6036C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:22.490{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7779F88805B002BD674785C33AD4079,SHA256=CE923E2DEB23D8FAB8E015974F8AF9BC7663885982B3FC965F503E72D239811C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:22.118{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9600423BCFD5CC70AC926A3DC110AE9D,SHA256=EE1D5B34082EBBA34175CE4DAEF523FC43A43349E51492F03DB8A3663800B25E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:21.035{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61898-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001764579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:21.035{5EBD8912-BF53-6156-2300-000000000002}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61898-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001670206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:23.352{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D904EAAD021DBDFA141CABCFA3189C,SHA256=69C347349FD765F47C9F22C63C1F507A2FBD6E5ACFE9F723A6FB997B2B3CC4EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:23.506{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342C0A6A314DE4106577163F2401370C,SHA256=C58DCBBB0473CE216300826C75A269A4D5DB0BF1D26D38D3C76F88E84D8D5943,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001670208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:05:24.743{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69b-0x16ae6419) 23542300x80000000000000001670207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:24.524{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752AEFAA2CE6D850702F678D4B0A9F8F,SHA256=290648F7DCD868ADE5BC690397E8838397D9434AD283E14A15D8FA0F6518992C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:24.990{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C144-6156-EA00-000000000002}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:24.990{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:24.990{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:24.990{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:24.990{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:24.990{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C144-6156-EA00-000000000002}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:24.990{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C144-6156-EA00-000000000002}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:24.991{5EBD8912-C144-6156-EA00-000000000002}5452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001764603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:24.522{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D673D51BABB950CD60A9647ECACE29EE,SHA256=62FF0694F31D8054A55646D94028BD75DB6BCCA8DB0A06799E0620C979019473,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:24.522{5EBD8912-C144-6156-E900-000000000002}46525440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:24.318{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C144-6156-E900-000000000002}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:24.318{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:24.318{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:24.318{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:24.318{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:24.318{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C144-6156-E900-000000000002}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:24.318{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C144-6156-E900-000000000002}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:24.319{5EBD8912-C144-6156-E900-000000000002}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001670209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:25.633{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD43CFE74DBA570EE1E2740FAEDDC9E4,SHA256=CC0AF5D11B18CD2343A7E693C42549199A9FFFC4A31BAE72FC0BEFD069087100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:25.537{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F9CB4CD9F224516F465DDC0E7BB2849,SHA256=E5589FDE7B809CD4326BA3C5FE6001B3FD839DA16AD91B080AFC5F758ED24024,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:23.223{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61899-false10.0.1.12-8000- 23542300x80000000000000001764613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:25.319{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9182EBB45A9883745F22128C76B5A19E,SHA256=5106407F59D7E9B2F1932952588E20CDA5DBC00D1EBC19838ECD4DD176052A1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:25.209{5EBD8912-C144-6156-EA00-000000000002}54525720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001670211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:26.867{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0113500578267802CDB1F356560E2EB5,SHA256=958D716EB845E7218FBF41EBD313BA048FCEC6BA8891F2885C2632757EF4E386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:26.553{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1C7F31E106D5F5CA5EF25FB4588326,SHA256=50CA982A43842D0026D24F2D46AD1F393685EB849FF92929F5FDD351A108E9AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:24.671{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49826-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001764624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:26.256{5EBD8912-C146-6156-EB00-000000000002}58645740C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:26.006{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C146-6156-EB00-000000000002}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:26.006{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:26.006{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:26.006{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:26.006{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:26.006{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C146-6156-EB00-000000000002}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:26.006{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C146-6156-EB00-000000000002}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:26.007{5EBD8912-C146-6156-EB00-000000000002}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001764635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:27.678{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C147-6156-EC00-000000000002}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:27.678{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:27.678{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:27.678{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:27.678{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:27.678{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C147-6156-EC00-000000000002}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:27.678{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C147-6156-EC00-000000000002}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:27.679{5EBD8912-C147-6156-EC00-000000000002}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001764627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:27.568{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D5B6950A5DF4E45C544C6E00A02523,SHA256=492279126BD7B3A4B6FAAF154928C7780430B6A4919C4C8300CDF3587BF2FDF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:27.037{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2716309EA56809475CD050948EF546A8,SHA256=53236ED04B72988816752085040995D29450A471566EB907B8ED216EDEB4C6CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:28.834{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86100F3856C4AEF2EB8CA7116BF0F4EE,SHA256=AC477092872BA999220392A5F84113C097CA86F35364819CAA0D7220753DE249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:28.584{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4609C07401897A698C598CC0D9D6F0A7,SHA256=8FBCAE598507C36FDF763CD83C793BA8804F0AEB5419B52F1BB21A36404F9AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:28.086{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D663DDB440D5666F59D04395097380E5,SHA256=733544CADCA9397D7E9B86EB26986B9778BD63DEAC40C5295ADD3536E8732333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:29.600{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB1A090259A580FEDC4766C07C9B856D,SHA256=0E9752EFDCBA61690BB5218F00620728CAF99F2E45AD32FEEC6354A2E1F85B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:29.210{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09C80F33059405319AED7D17E586CDCB,SHA256=3B3D053E3C2263728AD8823D9B6F9E39D13476055A7123A69FD43CC3D445B063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:30.615{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C59D46D44E02E70ED3312B6595F1F2,SHA256=E03229C89E2ACF4B61140FE71AF0041D874F2A1735B877BC310C0110A825D257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:30.210{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C05B52D93DDDD9A02AB35939501FC1,SHA256=92F9E4019011A5CBB75BADEE4A15C442F89790511E372EFFDD45D70572ECC610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:31.615{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDED5836D6537449643030F5BFAC827,SHA256=89C0D5828980793BD80B485DFDFD0CEDAC3459E9BB01FD6417C4C90B560FD59F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:31.350{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=600FDD3192F973B7150624C947DE15A3,SHA256=CA19147EF225A60B7C6BE8294B2B3F8A43B664E87C2C74956C011003899668AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:32.631{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E647BC807F148C9129B44F717E626DE,SHA256=0742EA3C4D9EF3062723D460FB8868A417ADC6DF0D156A71BCBE477118C32A3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:32.397{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBBF98261956075D656CCF66AED7E4E,SHA256=5947F65D28F28DD271F416BC046614FE558485B48DE37467E5E5CDA7C39F3FA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:29.020{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61900-false10.0.1.12-8000- 354300x80000000000000001670216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:30.436{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49827-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:33.615{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0346892119EFFF6BE777676A4E348242,SHA256=B1709DA60C09674C17826529045E6412D37B22458E6464112F8AB5F6C6FF8EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:33.631{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A757C20FCF05EB089AF3EFA214E04EE6,SHA256=5FD7002F376FED8B95145E324D1D377D83DD56695D991622858748E5A413E9E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:34.850{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B757B3B22821770F01B761ADDF5F751,SHA256=5B598E482EF54823F6B6FC532CB4652D43863E3EE1660D75B04705C67261AD69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:34.647{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18A5150B63B2BFEAD26476E8BA7AF1B0,SHA256=1A3F1E3BD1DC9EA3B829981E19239A01C75214F5CF62A84C7EE3BCE9AA61C3FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:35.678{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04A32C60C2F2F3A07852767D979D62CD,SHA256=005356DEE68B3CA5915FE75D43A7DCE37A0F7028FE4977BFF34B17ED491DECE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:36.740{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E697FF2477F8F17FD498CD42F3FAE046,SHA256=D770A42A8C8254095EFA31CB9B08DE78AA68891CAE2DF826F62BBF3AAADB4F04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:35.498{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49828-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:36.084{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D14AE677427CDFE6311D223AE3782168,SHA256=D6FB74939FD3764CE507C1EB5267E3C96D254259A5CCD4002BD8BC7E5A617041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:37.865{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5155395879C5030C5043CC664E88C04,SHA256=1611597673CB8E82F3E19160964175B6778D710F924D5D2260AEB276866B880A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:37.115{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7404A750498DAE70BE06248265B5B8F,SHA256=52023CA3A3AC05E7C5B787489BCFD7C3644F8458B065D6A4E571E0C148303FCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:35.066{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61902-false10.0.1.12-8000- 23542300x80000000000000001764649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:38.959{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A8698F15753EEC8EC0CD4C8F7E1DCA,SHA256=ACFB60525ECE61B36A6DEEAD0DB853823CA9EA3AEBD2FFB4AC24CB296D55735D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:38.130{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B4CB0916A3754395FE03DEC3991588,SHA256=1656DBA2E98B86555F64E1AC82377F1CF31646E501FCC38CC3E5C0454B5ED211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:39.959{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017EE6012F139CA353C0712807E519AB,SHA256=E931E7A03A6B6D2E962F4F4AAA8EF953010607D1D781EB9118A4A20DE330A26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:39.145{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22FAD900EF2AD2E4F04FDC6D9013C04A,SHA256=77D792F59996BEE31F8A7B33C0B37F1071500D4A8FCE44B8699058A7F57871C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:40.990{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D2E96D759BDDB9EAFF396B9FABD56E,SHA256=4D2A7432CBEBD5335E4DF5DE1EC3242B011D21D059F41D0367AAA774138638E3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001670226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:05:40.739{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69b-0x20373115) 23542300x80000000000000001670225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:40.379{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DD978E83258C00069F69195AA968B26,SHA256=33B0789536C9AFBA8571ACA4679528053F8D6E3FECF64B934C886BEBD212A11D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:40.608{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49829-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:41.520{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E9793D5492AA4ACDD79C1DCD37CEB01,SHA256=70A7929275D9B0158F13DA6A872E35EACDA3C6AAD447181BD71F8F1B008E1748,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:41.240{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1100-000000000002}444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001670229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:42.738{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4198DF9352BCA93A193A0A4C0692C9C,SHA256=01F249908B41E495DCA0BAFBBE035FA990B51C3AA57B7DBA455FDC99405C9F57,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:40.113{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61903-false10.0.1.12-8000- 23542300x80000000000000001764653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:42.021{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BB1F9AB7DCA61444F92AA95F4086D6,SHA256=88AA509BCDA0AC01C6E271C191BB1AB7C809F97B857D37A1428D468583809691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:43.910{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C2298F930964E4907E994B69FF1C28,SHA256=5F26786BA4CB8370186ECA1CCEE4885586BD529D63870C5857426C4DCECB3D0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:43.053{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642135BA84AA92AFFDF697EF7EAA55ED,SHA256=977C9A76ECCF249230D5270E0132BED4ECDDAFB4D88D73529B6A53518C182D53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:44.972{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A55D314DBEF022C7EF4F494DEF2FA2B6,SHA256=F751A002224BFFC3BFAA5635C943EFFDF0EBC152C4CE78ABB27B75F0A758D847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:44.178{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CBE21ABBF811BCED818BD97DB43C982,SHA256=91A4007DA7F934C2309DCB8BB9B7909B4D2FD7D48BB5ADD6613BBF6801E8BD87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:45.209{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0848E2992513721A96C5330FCC5CC30D,SHA256=CD1117A0079A952691E54D0BFAF8D6586D23455679D83D298ECB0C896DE408E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:46.066{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962CBE4EDB5098AE2AE3B10B203CC627,SHA256=6951325DB3E709A404D4E0D0E0B2630EA2F6AFC19F83EF075E4905A8DAE5E25F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:45.238{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61904-false10.0.1.12-8000- 23542300x80000000000000001764658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:46.287{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78D25B7B30384C1BBF9508988AEFED21,SHA256=0B1F5B981457CA1D59C63A7682E53BC3AF0481762C9AC2E3AF606B49D6086407,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:46.498{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49830-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:47.253{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE1FD7CFC18E833725F135AD6DEFB9C,SHA256=9799259E75E832E7A03221C801153A5FD39C52BD33EB5992D9D3ACD04FD955DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:47.303{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4CB0459549CD1C9D1A33F1C1E38F9D7,SHA256=B803D1ACBF885373573826B7B5B120A98C1E9F339F6A4C5903F6F9CA122DE056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.955{69CF5F33-BF40-6156-1600-000000000002}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF85155.TMPMD5=0880C744E64506835304E7B47B3F59FF,SHA256=2B76F478E9635EEA4F870FE3D0AC7FE80A9DCCE443DD3799A293349122AB9464,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.940{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-C15C-6156-B600-000000000002}2120C:\Windows\System32\sihclient.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.940{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-C15C-6156-B600-000000000002}2120C:\Windows\System32\sihclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001670320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.909{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4344F56A4A903AFB14A410CA58C69E9,SHA256=55ECA6D85FBEB5510833C01699BF3C6B483C67DEE79DBC90CA49BFD616B8B945,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.877{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-0F00-000000000002}948C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001670318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.877{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:48.334{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BD6BCFC780B53243004027ADEAB235,SHA256=8A8D40DCE88E916BD1CEFBEDA772893C93A809AE0583AAD8A6E9343687CF82DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.877{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.877{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.877{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.877{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.877{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001670312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.865{69CF5F33-BF40-6156-1600-000000000002}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF850f7.TMPMD5=3E1B9A60E48FC92665999E7DB7852BAE,SHA256=766DD56BED2BCF9E6495069A0BF4A85C95348E706F8EB01B0611862FE23BF08F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.865{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6841475A6A3E34F24BC04B2C27668C1,SHA256=056C51A29BCDB50641E3070DDFE7689E92FCBA06B02B2280A4EA573AC7ECE77B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.830{69CF5F33-BF3F-6156-0B00-000000000002}6442352C:\Windows\system32\lsass.exe{69CF5F33-C15C-6156-B400-000000000002}3028C:\Windows\system32\devicecensus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.830{69CF5F33-BF3F-6156-0B00-000000000002}6442352C:\Windows\system32\lsass.exe{69CF5F33-C15C-6156-B400-000000000002}3028C:\Windows\system32\devicecensus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.830{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-C15C-6156-B400-000000000002}3028C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.830{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-C15C-6156-B400-000000000002}3028C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.830{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-C15C-6156-B400-000000000002}3028C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.830{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-C15C-6156-B400-000000000002}3028C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.830{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-C15C-6156-B400-000000000002}3028C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.830{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-C15C-6156-B400-000000000002}3028C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.830{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-C15C-6156-B400-000000000002}3028C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.799{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.799{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.784{69CF5F33-BF40-6156-1600-000000000002}12042104C:\Windows\system32\svchost.exe{69CF5F33-C15C-6156-B300-000000000002}3472C:\Windows\system32\usoclient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\usocore.dll+210d2|c:\windows\system32\usocore.dll+15924|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001670298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.752{69CF5F33-BF40-6156-1600-000000000002}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=E731A24358897D95B61AC1FF256BF5D4,SHA256=074BCF6D9FD4E53300F523149ED41902EEB2132FB6B2BF3F8DB6803357AA7FEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.737{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-C15C-6156-B300-000000000002}3472C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.737{69CF5F33-C15C-6156-B800-000000000002}40682716C:\Windows\system32\conhost.exe{69CF5F33-C15C-6156-B600-000000000002}2120C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.721{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C15C-6156-B800-000000000002}4068C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.721{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.721{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.721{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.721{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.721{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.721{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.721{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.721{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.721{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.721{69CF5F33-C15C-6156-B700-000000000002}2636436C:\Windows\system32\conhost.exe{69CF5F33-C15C-6156-B300-000000000002}3472C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C15C-6156-B600-000000000002}2120C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF40-6156-1600-000000000002}12042104C:\Windows\system32\svchost.exe{69CF5F33-C15C-6156-B600-000000000002}2120C:\Windows\System32\sihclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C15C-6156-B700-000000000002}2636C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C15C-6156-B500-000000000002}2600C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF40-6156-1600-000000000002}12042452C:\Windows\system32\svchost.exe{69CF5F33-C15C-6156-B500-000000000002}2600C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C15C-6156-B400-000000000002}3028C:\Windows\system32\devicecensus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF40-6156-1600-000000000002}12042496C:\Windows\system32\svchost.exe{69CF5F33-C15C-6156-B400-000000000002}3028C:\Windows\system32\devicecensus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C15C-6156-B200-000000000002}2492C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C15C-6156-B300-000000000002}3472C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF40-6156-1600-000000000002}12041344C:\Windows\system32\svchost.exe{69CF5F33-C15C-6156-B300-000000000002}3472C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF40-6156-1600-000000000002}12042232C:\Windows\system32\svchost.exe{69CF5F33-C15C-6156-B200-000000000002}2492C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740792C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.705{69CF5F33-BF3F-6156-0C00-000000000002}740784C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001670236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.268{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9FCF889EBB12976649D731DC4EB4B79,SHA256=14A4546ECC530415CA6F6C2AD68ACC7D6044D52C1A1B9F25A2934DBE669F06F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:48.221{69CF5F33-BF40-6156-1100-000000000002}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D3185797B814EC7DAFD885C70CB5355D,SHA256=7C62C9898DD7D5DA1160258832D7BE7B4CB1A82FBE3F64827549BAD0D97422BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:49.459{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C159E330D97CBF718DEEE438CBDB6049,SHA256=BB5D120360EF3BA79C767F47C72256E69786E107F96F08D70A419583E7B9F82D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:49.799{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DEFB079182436F2B8795FD8D1E24D8BF,SHA256=6D1A82E801250C53E754A449FE34986015D22A145C01C8500F7A10D717B59341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:49.799{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C6E0A416DD84D921B4EA6B1BD16F4DF5,SHA256=6AA5AC06EBB37A79F5617C1443D483064AA017B88151518E66423F0D9839A597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:49.768{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E19D52C29CE209C38DC018137B54085,SHA256=F14CCCC4DB0361FCD1CF3A0F1A064A49F1764DFBA6A24FDE811C34C95A89BAB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:49.768{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=763EFB5915C8C7EF043CB913CED8CC43,SHA256=54ACA61BDBF7474AFCC2F5AB685EEE564714B4F35AF873ACC93E8C3598C960B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:49.455{69CF5F33-BF40-6156-1400-000000000002}7561684C:\Windows\system32\svchost.exe{69CF5F33-C15C-6156-B600-000000000002}2120C:\Windows\System32\sihclient.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:49.315{69CF5F33-BF40-6156-1400-000000000002}7561684C:\Windows\system32\svchost.exe{69CF5F33-C15C-6156-B600-000000000002}2120C:\Windows\System32\sihclient.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001670331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:05:49.315{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001670330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:05:49.315{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000852bc) 13241300x80000000000000001670329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:05:49.315{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b692-0xc36d18f9) 13241300x80000000000000001670328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:05:49.315{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b69b-0x253180f9) 13241300x80000000000000001670327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:05:49.315{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b6a3-0x86f5e8f9) 23542300x80000000000000001670326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:49.268{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32CA710690B174D1FAD9487EE5E0BAC5,SHA256=BAD587296326E70F92956EBD9C4821520636806264A635E747EC2880447B3795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:49.049{69CF5F33-BF40-6156-1600-000000000002}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF851b3.TMPMD5=ACEF65F8532DED0C84FB266B0C44A7B3,SHA256=C19B4694876E893608B059C41E8A1782569FBD503F5D9488523D7907F5C02EB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:49.002{69CF5F33-BF40-6156-1600-000000000002}1204NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF85184.TMPMD5=6ED8BF245B4C2816D70927030A2671DD,SHA256=7415406A2BA4D3FDBF3440F6B41AE5C7B822A618B948746CEAFFB20983616D23,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:49.021{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54265111- 23542300x80000000000000001764663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:50.475{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF8BDD799C9546EC97E272E385FD39D,SHA256=93D8B6EC64F20C21F6F9F27FF3D7D3D857DB10ACD827A0D3A64830586A58B34F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:49.508{69CF5F33-C15C-6156-B600-000000000002}2120C:\Windows\System32\SIHClient.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49831-false52.152.110.14-443https 23542300x80000000000000001670338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:50.283{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC66B38DD486BD313C0894726CA653EF,SHA256=26FBE2BC6D51BBBA727E41A77FD4D5630C6ED13D5F14969F864D89AC631CE02E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:51.928{5EBD8912-BF43-6156-1200-000000000002}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=93CDA8E0502D87ADCACD71D80A083798,SHA256=3BC3E1531608A9D86D2F111C0DBAE96BBB48C388022E1682397FDAD9CE50026C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:51.490{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EC531FC669E1B01E96EA850EFA5A52,SHA256=A9C13D387ECB9C47985C2A9429CE69AE0DBD3F102CE2706863A742EE244680C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:51.299{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596E8A092FC301BEE73DA13BAE4DC460,SHA256=DD41F879B82CC19E668A0C4B49364B65E5B416E8DAAF30879FECB2861B63AE3F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001764677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 08:05:52.850{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001764676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 08:05:52.850{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00085ed2) 13241300x80000000000000001764675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 08:05:52.850{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b692-0xc5c73301) 13241300x80000000000000001764674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 08:05:52.850{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b69b-0x278b9b01) 13241300x80000000000000001764673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 08:05:52.850{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b6a3-0x89500301) 13241300x80000000000000001764672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 08:05:52.850{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001764671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 08:05:52.850{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00085ed2) 13241300x80000000000000001764670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 08:05:52.850{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b692-0xc5c73301) 13241300x80000000000000001764669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 08:05:52.850{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b69b-0x278b9b01) 13241300x80000000000000001764668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 08:05:52.850{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b6a3-0x89500301) 23542300x80000000000000001764667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:52.521{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA87F4B0B38A366A530BB87ECCAE37D6,SHA256=6FA1CCC897596A3DCD457821A15277D1B64278CC8B94FBE581520F07554E9310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:52.314{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D07E54837CF61DFC596A2702F767416,SHA256=390C939DA4B5131F1E6B5566F961DA8C7C92DC5EE1EC0AC2224DA723E9AB4E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:53.600{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D844D4720E6BB3B97C80DFB41E5D6F19,SHA256=BDDD437929505EF19C2566AA1E5B9B40778FDAB77361C73A476C2CE38548500E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:53.329{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97BD0AC7CA06918CA307B4804FE0E639,SHA256=F552152CFAC59E5312676AC01D0C8A97285E81D4C5049E7A541EFB7E617B0CA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:51.098{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61905-false10.0.1.12-8000- 354300x80000000000000001764678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:50.835{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54258855- 23542300x80000000000000001764682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:54.662{5EBD8912-BF53-6156-2C00-000000000002}3016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:54.615{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9722C3EA6A0DAA56BB476023165521,SHA256=F076EB490A405E3450D7D1E9CCFF45FFF1D3D1C7D56A78B3AD94CB22C5E4E427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:54.345{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6364A38CC165412D096B3EC3BC9310,SHA256=F839ADFA0793A8796F744C9AF941116513368CFE96BE06AD20662652F3FEF014,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:52.514{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49832-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001764683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:55.662{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1FAEC415B9406526168C9D1558FAE0E,SHA256=6EAAAFABA7549C5B3CF8813311AC5CBC16CAFDD2F8C7CF521DA01FA4B0132009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:55.360{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543DF65FA308F592C576CA6CA91EACF2,SHA256=081635DEBEF8381779F1C7E671853CF082BE41B59667EE711596A1069EEB232E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:56.678{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B6FFFE0D2E2E1D1533AB0FDE92D380,SHA256=9EF09CEC36A3D63F72F11234CE4BAD02CA2E3CA5665DC51F7F2384129E3937F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:56.376{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD32DD0E3D02BBF37944A56F0C1BB1F,SHA256=210B124B41C4A36F36F163E03F646131690CE18DFF5927F3F35A091154ACEFFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:54.644{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61906-false10.0.1.12-8089- 23542300x80000000000000001764686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:57.709{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FC8F4C1DB6C82059C5377D1D5CFF24,SHA256=1BCA0AB39C733179CCD41C92754D4B69B99798F23C22F3DEA68B14B36DF52A4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:57.891{69CF5F33-BF40-6156-1A00-000000000002}1872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:57.391{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4798243DDA49762C97619F1EAE6215A,SHA256=1EC8CB0B3DCEADDE8EBD0C6574C79AF56D030FEE2B0B42EB4A105CADBBDE005E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:58.756{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=628C34D99A289BCFEDFFB3C131F58B8D,SHA256=B7606D1564D4BA3BE319AD076B134DAE5C21931E869AF645E7482D3BD7506834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:58.406{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72F024B7FB59D4132DD9F11CE11A9A4,SHA256=F64DB217620CE6709946BB94D43F441B4684D51D8B582A81A5B41D02EFF10F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:59.849{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF4A394D1A1BB737F1BC98208169585,SHA256=069AAAA9D5C7D35A9F35A3840616F46242769BED2CFF8B0D49E648F8AD943EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:59.422{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FD0CACDCFE706DBB2CE51F3269E024,SHA256=502C7889E7350E3D98284CC3F1098284C9C84DCBFA62AB21FE1A1686450C5CAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:05:57.051{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61908-false10.0.1.12-8000- 354300x80000000000000001670350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:57.529{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49833-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001764690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:00.849{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D97B95B5E769E2B33E651F49268ACCC,SHA256=5A77A96901400C4338DDCE85C41AE809AA68AFA1C699EBBF32DFD24C95049B52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.874{69CF5F33-C168-6156-BA00-000000000002}22203012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.687{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C168-6156-BA00-000000000002}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.687{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.687{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.687{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.687{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.687{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.687{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.687{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.687{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.687{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.687{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C168-6156-BA00-000000000002}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.687{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C168-6156-BA00-000000000002}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001670367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.687{69CF5F33-C168-6156-BA00-000000000002}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001670366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.437{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB8EA90E42FB07D1A98AE62460DE174,SHA256=AB8DD7840BD0305B3C0D24E4D600A094DA4914ED501AF70BC3E2158856ED4026,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:05:58.310{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49834-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x80000000000000001670364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.015{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C168-6156-B900-000000000002}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.015{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.015{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.015{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.015{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.015{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.015{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.015{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.015{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.015{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.015{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C168-6156-B900-000000000002}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.015{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C168-6156-B900-000000000002}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001670352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:00.016{69CF5F33-C168-6156-B900-000000000002}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001764691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:01.881{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F0E5CB31A2E7552A3091188056DF0CB,SHA256=EFBB3A3B48319C5478CAD98ECC6F274434305B65DCADA98E614D22515543C4AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:01.515{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C169-6156-BB00-000000000002}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:01.515{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:01.515{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:01.515{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:01.515{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:01.515{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:01.515{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:01.515{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:01.515{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:01.515{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:01.515{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C169-6156-BB00-000000000002}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:01.515{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C169-6156-BB00-000000000002}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001670384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:01.517{69CF5F33-C169-6156-BB00-000000000002}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001670383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:01.452{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D669B249576131B2ABECB49C17848DDB,SHA256=A1A69C1DB5A7CFA8BEB64ABD9B404D3F6A234A52DB0D57DDDEC6A6F6F82A7462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:01.249{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D07DFE634359964E300EC43288B3E0D1,SHA256=E7DCCE2D7FE278BECD056287F087BBBFF305404C33ACDF63E8685D7C832C4D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:01.249{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E19D52C29CE209C38DC018137B54085,SHA256=F14CCCC4DB0361FCD1CF3A0F1A064A49F1764DFBA6A24FDE811C34C95A89BAB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:02.959{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F7D3A82B6D2C624FFF56EB933DD456D,SHA256=5117BDC55571E581EE63139718EA0F80479155D5EA7840D7619E15C7F7697D1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:02.971{69CF5F33-BF40-6156-1C00-000000000002}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20211001075651-008MD5=E2350FF87285264FC2F693171FD6908F,SHA256=DD0C2B6A4BAA6FC008B19D4F8AE41D7B35D93255AA75D9D1AFF144D5A1F933A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:02.516{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D07DFE634359964E300EC43288B3E0D1,SHA256=E7DCCE2D7FE278BECD056287F087BBBFF305404C33ACDF63E8685D7C832C4D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:02.468{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B019C651488E2E61F5ADF84BC225C6CD,SHA256=E9BDC816EDF27E0FAC19283639C7E62B129FFD0F0EAF4483346637F463869364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:03.990{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC9E2CD45E83E53B1DCC44FD4B95336,SHA256=A88043B63CB90D3A0C87F00D8BA1F077F30F5F48B7812262A97016E52CB40A39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:03.973{69CF5F33-BF40-6156-1C00-000000000002}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20211001075649-009MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:03.472{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F26C7F85FCD22ECA6207CBEA4B4045E,SHA256=C35215D3A97788447C38A5F402AB9B4074AB083DE6766ACD2F7740D721D25E4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:02.160{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61909-false10.0.1.12-8000- 10341000x80000000000000001670413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:03.394{69CF5F33-C16B-6156-BC00-000000000002}988992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:03.237{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C16B-6156-BC00-000000000002}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:03.237{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:03.237{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:03.237{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:03.237{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:03.237{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:03.237{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:03.237{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:03.237{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:03.237{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:03.237{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C16B-6156-BC00-000000000002}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:03.237{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C16B-6156-BC00-000000000002}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001670400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:03.238{69CF5F33-C16B-6156-BC00-000000000002}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001670445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.972{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C16C-6156-BE00-000000000002}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.972{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.972{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.972{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.972{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.972{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.972{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.972{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.972{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.972{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.972{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C16C-6156-BE00-000000000002}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.972{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C16C-6156-BE00-000000000002}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001670433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.973{69CF5F33-C16C-6156-BE00-000000000002}2140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001670432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.488{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C04716AD4EDBAF3605E122D01C16B7,SHA256=BE62CFDACF8F2ED8C0C789BDEFFFD7510D18EFBAD9D326F904CD31A5CEB21054,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.439{69CF5F33-C16C-6156-BD00-000000000002}16243744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.298{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C16C-6156-BD00-000000000002}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.298{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.298{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.298{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.298{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.298{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.298{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.298{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.298{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.298{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.298{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C16C-6156-BD00-000000000002}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.298{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C16C-6156-BD00-000000000002}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001670418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.299{69CF5F33-C16C-6156-BD00-000000000002}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001670417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:04.283{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F9598803BFF9E67D6907F2D83439C14,SHA256=80411D4711E0A73C6DA44610243C2E67FDA1E49B432165CBFEDC590F01356048,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:02.670{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49835-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:05.519{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF6CA42B7B577319022E10DCC5C6FEA,SHA256=7145D07AAE4220FEEF1E5B22383334315E95D10F1F9172338570F6E7AC1E7040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:05.021{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F396C3E4BB3EE3C1A0C8D8A0A6672C15,SHA256=EA6293D9897EFA536348FCD5694A8F50349597A745A9AF75B425A50DB7F091CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:05.316{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E690AB3A9DF1CABA95B9186CF0E2256,SHA256=DC6C2E34FFBE24A9F184CC59EA90F1812A3BAE40172112332A35B7A6E33F6DC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:05.113{69CF5F33-C16C-6156-BE00-000000000002}21403868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001670462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:06.566{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=405907F6FBE859B2F17F212087E3D1E5,SHA256=605BD01CF18B2CD93857AC44FAAC635686C1ED04910F5E2A77F3581DE5B5ED04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:06.037{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1FA0CC642D31B0780365DFFBC4D1E4,SHA256=ED650B1A74B596AD08D9DE2E8117EF567433FB6EDFBDB18F3F150959F74EC71F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:06.519{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C16E-6156-BF00-000000000002}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:06.519{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:06.519{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:06.519{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:06.519{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:06.519{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:06.519{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:06.519{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:06.519{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:06.519{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:06.519{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C16E-6156-BF00-000000000002}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:06.519{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C16E-6156-BF00-000000000002}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001670449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:06.520{69CF5F33-C16E-6156-BF00-000000000002}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001670464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:07.612{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF7DD110CAA464DDEFE1C5810372F367,SHA256=2716BDDFDB9591FCF459E4E11F93F699CF0700256D8774C44DA1A24AD6687166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:07.612{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF7ECFF525946A8AC0997BF285B794C,SHA256=314A82320D3A90C856E0A2072B54F64E79F8B225469A2B385D432C601F538D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:07.053{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9106C7DF4B33920EF3AB29E92FF5A32F,SHA256=7DB073DEDFF71C4E79CBE35FE87E01791E977DF73EB20D83C2FC7256422106E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:08.799{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6B3AA424E9CB3C2B7E10832677EEB1,SHA256=DE747FDD3CE57BD6A5E8229A469E18E645ECAD2E0859B9B80EDDB20362BC1C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:08.068{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=726677228D91D2CA5435497EB452D087,SHA256=CDD806A05A83D0D4A9EDBBF86E679412F63BF8841FD67FB1DC2FAB69EE0FEADC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:08.503{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49836-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001764700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:08.129{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61910-false10.0.1.12-8000- 23542300x80000000000000001764699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:09.084{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3407F21A3F55469B53A5F3CE824DA009,SHA256=D02BE05AB995C5F20CD6984573F6462650789F5CDE5ABD99C90C92844C62C13C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:10.034{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9459B7A1364E11A7C0B4EC2B3A9EB61F,SHA256=81361B18C29FB07BF4A13609AAB4214213CFDD38B37442C2FEF76D3FD5B4398E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:10.099{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59CF5E4100B341B9696DB8B61315D50,SHA256=B2E4A963E9B6ED9D54524948D4FA5EB3B6509D90ED5ED3ACD1568E8C0AC5AC43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:11.096{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=802896509B1E609334621291C5F7B6C8,SHA256=0AD715870402F8371952B21AD5BA9E8B766CE3CDCF34C6CE4D149F75253DC2E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:11.334{5EBD8912-BF43-6156-0D00-000000000002}9042136C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:11.099{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07ACB814BEA77806B08E4AA1D87B3E78,SHA256=B20309DEFC31F23845A8121188F8D1E6D4501B7A457F74538BD7C9A2480E3548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:12.330{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B25417A08EDCA877D72E10D05694792,SHA256=BC15F35BEB5ED794AFC3463072BB65854EA0686A6D6BBF89D445ED1F9E48F941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:12.115{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7436B283540A1711D851572239F76A,SHA256=DE08AC7B370C319100AF679ECBBFC86631F9440714D4C013A6B0D1881D2401A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:13.564{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F516F4F5C0A92663866716BC63D5BCE,SHA256=A62A2A192034C6E40FCD93DE5AF6529A4372BA80B22E7752EEDCD62FB394D635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:13.115{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A6DE8CDBA53D41D1A8C1EA557DEBA6,SHA256=8F3B298FD8371B0E470CD0F929004E6D6B285ABC08CC9066B6E843050D3CFB40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:14.611{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B2F78EC4B415EE8FE990EDCF3C0D3EB,SHA256=E91D8668D7E7A99F851322CB0AD144E58E37CCF0EC6FFB0024AA5209B4AEDD44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9400-000000000002}4880C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAB-6156-9200-000000000002}4576C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.381{5EBD8912-BF43-6156-0D00-000000000002}904924C:\Windows\system32\svchost.exe{5EBD8912-BFAD-6156-9500-000000000002}4988C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.131{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D62669A3F11D6751F0F79555DC7CD555,SHA256=341D9650FDE7B257F3ADCC31AF6790945F47BD7CD1770DC61C0FB1AD72353544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:15.626{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5414657774B142ACF652F435EEC344,SHA256=122867C380D212F77D1371C44D082752DFE655F9A1E7701250A59225181B0550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:15.537{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAAC5E86AD94A26827AABB268ED6F0C0,SHA256=50ACE2B34549A5E4E4DC782AFD689DD4D2380EE7AB01613DDD10D4A6B61F1C0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:13.628{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49837-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:16.641{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A801CCEAF301578DC55CB5F3EB5214C,SHA256=98A9A5C945B1C17C8C2AE4B017A4962BEB19FD8F96A164E33EE9E78AF860AE78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:16.552{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F3514E83C1CB5AF6FFDA56B77A86DEA,SHA256=257D2264159B74324F71BDD4415E14CE0D2D74F509CD2C28DA522F960D3093B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:14.160{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61911-false10.0.1.12-8000- 23542300x80000000000000001670475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:17.657{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5449D9A8D5D87DD8A9BB16CD77ED8D3,SHA256=D60518A8E00AFE319AAC9008C1EFA153F53D6B6598F814E434B28622739E80FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:17.599{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D9BC37C515D5E9C7A398AF6D0FA9622,SHA256=D0F0A813549712881DA2F6D3AA31C121D9AF392547AB9D7024730C0CFDCD31EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:18.672{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6F53C382C345B33F05B66849B2E49E,SHA256=A1357EA7EBDC61BCF85AE046B1499328ED95C18BB117DE93A71D17DA10138E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:18.677{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEB6589E9FBDD0EDF31A81ED3B3F3DE9,SHA256=877EB0B5B39F617B4960A62B7EDF1D48244236E0D9CBE38B6019750BCC778ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:19.687{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6B04D0949B06ED6731C573304F00A23,SHA256=9AD1D8A20C7B34D07B5319E09431CDD8F282420EA0D9B2D8A0D479033B0DC411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:19.740{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BCC6A3D2D82D2D6173407AE1EC4D0E1,SHA256=06117DE22C0ADE084DBBBC9A269A23652CF6E2AFD089DD26A778EF7A13754A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:20.865{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E322499DDDAD2DB259B5E40F353B36,SHA256=1D0238695B86A0EF5965EECD8FAAD1EE7B6C62CB8FC39AD5606CDE0FA031CD0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:19.518{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49838-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:20.687{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A2000ED8FB1A4455F60EDC11853960,SHA256=871FA6B0C1B682B1DB97D1CC5E68FD64956A4E493CF6D864084C1537A51C8AE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:20.631{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C17C-6156-ED00-000000000002}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:20.631{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:20.631{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:20.631{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:20.631{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:20.631{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C17C-6156-ED00-000000000002}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:20.631{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C17C-6156-ED00-000000000002}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:20.631{5EBD8912-C17C-6156-ED00-000000000002}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001764760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:21.976{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E7E92957ABF6EDB4C540804120CB52,SHA256=7410DE86F1566625282C09D1ECBF65CCB59EF35E8460B7188931F2224F1002CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:21.703{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB5BAB20A2B4910067EA987A1A01BBA,SHA256=4E7E78B95F964E61E36D105B979CBE6E22F1C40BC1DF49484FA9442D2D8282D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:21.960{5EBD8912-C17D-6156-EE00-000000000002}24645236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:21.865{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B54B2A99A69B7A332909E0720D87370E,SHA256=40A3203859C7C97BB7D63886A41817E354E5FF2A46C37F817A0E2103C7FD6E91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:21.865{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA0A47C1DF7FED0CB55BDE98DA2AB411,SHA256=62912DA2A630AFE84BF79B69E2B72480C97054B14FA839F6519732F3090C5CD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:21.756{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C17D-6156-EE00-000000000002}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:21.756{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:21.756{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:21.756{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:21.756{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:21.756{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C17D-6156-EE00-000000000002}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:21.756{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C17D-6156-EE00-000000000002}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:21.756{5EBD8912-C17D-6156-EE00-000000000002}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001670481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:22.718{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=581A73A2DAB185ABD56721085653A064,SHA256=D9B2AFC51F2EB3A6728857923EE614BB94EAE6C099EC480D27B3B8AEF55845C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:22.976{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F732CD1F84DDB3D377899CC859E3E086,SHA256=625A895F948E2FB2942AA4A07A8F692F6469814C32531E6D9238A7B01841CD15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:22.711{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C17E-6156-EF00-000000000002}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:22.711{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:22.711{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:22.711{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:22.711{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:22.711{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C17E-6156-EF00-000000000002}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:22.711{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C17E-6156-EF00-000000000002}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:22.712{5EBD8912-C17E-6156-EF00-000000000002}4560C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001764764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:22.448{5EBD8912-BF53-6156-2600-000000000002}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20211001075710-008MD5=E961008872A85D9E7B2EDCDB9076BE5A,SHA256=4C7B4263F3F8553ACCFCCC53A0FA56737D447810FFCB4A43A3BA8D688A9FDFED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:21.035{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61914-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001764762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:21.035{5EBD8912-BF53-6156-2300-000000000002}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61914-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001764761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:20.113{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61913-false10.0.1.12-8000- 23542300x80000000000000001670482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:23.733{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C93BE62C3B71DBFAA5C890D9521714,SHA256=FC6A34097DE6972F42E2DE42A4241CDB0370F5388BA7C9BF4A7B1AE5EB57F24B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:23.978{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A5B7ABA9758F66832D72DA3D11DAD3C,SHA256=80CEF7EAF26E1A646D42CEF317F8E66233462AEE5AB111A410DC8D53770845AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:23.725{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B54B2A99A69B7A332909E0720D87370E,SHA256=40A3203859C7C97BB7D63886A41817E354E5FF2A46C37F817A0E2103C7FD6E91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:23.447{5EBD8912-BF53-6156-2600-000000000002}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20211001075708-009MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:24.749{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76AD89AECED9E38465BC52A1573DA4EC,SHA256=577DF5A47AE77CC3A95CA9EDC63538EDB662CCE8BF7DC6A1D54C3AA2B4D175F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:24.994{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C180-6156-F100-000000000002}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:24.994{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:24.994{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:24.994{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:24.994{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:24.994{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C180-6156-F100-000000000002}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:24.994{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C180-6156-F100-000000000002}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:24.994{5EBD8912-C180-6156-F100-000000000002}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001764785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:24.494{5EBD8912-C180-6156-F000-000000000002}11485964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:24.322{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C180-6156-F000-000000000002}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:24.322{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:24.322{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:24.322{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:24.322{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:24.322{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C180-6156-F000-000000000002}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:24.322{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C180-6156-F000-000000000002}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:24.323{5EBD8912-C180-6156-F000-000000000002}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001670484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:25.764{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A9ECB80F97931C737245F361EE4887,SHA256=012D5FE746EB8593721DFE9C782CE07346D5EFFBBAFEF84B3CADBCA1E5FFDAED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:25.384{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6663EA92C2CCD3BB0ECA42552AAC01C9,SHA256=873E4FF5C62385DE64BE64BF45FBD35E7651E18B87BFD18D90FA4223B22C2E6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:25.197{5EBD8912-C180-6156-F100-000000000002}50565324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:25.009{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63DE760521C2E7F57BC783C2D5771E41,SHA256=2AC090E15A03F3A1F97215CDC1E99C6524C45CA140A2C9F068E582C5D4EB7739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:26.780{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B01F98DF3B33F55382422103DE65F82,SHA256=1762EFC2742FCF559A310833CEEEC441C6BB13ADD1A5D67731FDFCCA4B790FF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:26.166{5EBD8912-C182-6156-F200-000000000002}53645368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:26.041{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF72008370F4F6BDE53AE44638B52126,SHA256=A344F4690731219FFAF55892C5CD0FEAA9991086422C4E818CB8B0D509C861A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:24.612{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49839-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001764804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:26.009{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C182-6156-F200-000000000002}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:26.009{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:26.009{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:26.009{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:26.009{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:26.009{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C182-6156-F200-000000000002}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:26.009{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C182-6156-F200-000000000002}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:26.010{5EBD8912-C182-6156-F200-000000000002}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001670487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:27.795{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC38F7424B8B80E29D56497AA4C4388,SHA256=6919CDFB24926449DB40B47B12C418DFCEF8942B0503B75EFCBD34A116E8E96C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:27.681{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C183-6156-F300-000000000002}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:27.681{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:27.681{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:27.681{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:27.681{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:27.681{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C183-6156-F300-000000000002}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:27.681{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C183-6156-F300-000000000002}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001764809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:27.682{5EBD8912-C183-6156-F300-000000000002}5496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001764808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:27.166{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A46782C251FE153261EB98CAB7FE1B92,SHA256=C8CFB19A24A6F19F6DCC9FF55C8A83D836D06F699C05D3047A8E83E37104BA52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:27.056{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61FAB794405B349CF42B48D38805979C,SHA256=F36CDCBC434F687EE6D9BCCD8BD9F0F35ED7CB2A2E64D5A498004F50AA298207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:28.810{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C6907F3778AB4FF54F70366F7DAE48,SHA256=E5D2368E6B29E18319B84B97EB405ADAB575E800ABEAE66AF454B4E11DA84061,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001670488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:06:28.748{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69b-0x3cd4c6d5) 23542300x80000000000000001764819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:28.713{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2740F3B2328395802D20CC5F88256E0,SHA256=4877E8E22F206157DC5CB00CC5E92B1204822AAD544480A76817C9CE80B0C436,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:26.117{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61915-false10.0.1.12-8000- 23542300x80000000000000001764817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:28.181{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD1CFB58CC2CAFDB60747753C439734A,SHA256=69300A99B543CEEF15E2F6F63FB5A2F0B7B6A736E391012C8B75B0FCEBDE2B4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:29.826{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC9131C96B29B4544DDA2EF4F5FF799,SHA256=1E27EBA264BA3059F5336042D74AEDCE97223BA795799FE9B953D4CF8FA05856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:29.197{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=953192016693825B1C967AFE00D8C025,SHA256=40230700CDB5AB9932BC5F233CFFF0CA6AB58ADB6602F8BE899184EE5713175C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:30.841{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B1737CA4A4151F9B23487C1AFEAE504,SHA256=F09866C0687609153CB21D8CF9718A02372B6696A7565A9DB8A393E46446E3DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:30.259{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B4C27936742B1ED8265A55E3417D9F,SHA256=AD67C3BFC7AAE9CDEC12400A1D082BEB4D44E7BE623BD869937A1B4DF15DC97D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:31.856{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C4B03D11A221BCA350574CE78262E9,SHA256=1B9E8F41597FB9A5D3E62D4ACDEBCDBF3FEB422CB9AB7FE733AFECD625D1433C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:31.277{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4689436F682DA6759CA6F561D4AC43F,SHA256=011ABDE66998F09C9A15572D480896F9CD1969FEB7D7D2D4072F516EDE5F36B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:29.659{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49840-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:32.872{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C1CD62EA51D8B8B2C0B5B08E36F63C8,SHA256=BDB62F9A1E7474A7F7AFA22DB23C94DF9BCA046B6DC2B3F5C6BF84A17A65C2A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:32.322{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B23CEE4FB4F2B697E21504C9EE4847D,SHA256=06ACEFB46A266DF1173AD42C0D863501FDF5BBB8E9A9B86C22CD4E8E59419FC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:32.056{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7CE4837B97861244EDD4DEAF15A621E2,SHA256=1433E3FBB6097742FFA4A8CB05CA3583C75A0C7067FA52B011D350C91215D679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:32.056{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E565E8BB4F7360FCFF9A65542CF4BF39,SHA256=06D726C5E2E23E6B747C9D3120FB87EB0A96BA96ED053A4DA16754F3BFF7DD86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:33.887{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983F2BD098DC1085B3086118128C7CC6,SHA256=E3D7AC97E37BB0234737679D959C8D7FAF4F247E6CBAA0BB56D58C694F542219,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:32.101{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61916-false10.0.1.12-8000- 23542300x80000000000000001764826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:33.353{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E29254C50EFC1F3F709AA561D2B49C7,SHA256=9452A6FD6151E6009A34622C876D511FBC5E79EE9CD56CFDCA308055AD709688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:34.902{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DDCC00033211CAB167E84D748355F19,SHA256=ACFFD623D01CA10C44277F01377D7DB410AF980C8F4A18C349F81EB4D7A463E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:34.353{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5172FCA3114194FF498B7EBCCD94EAB6,SHA256=4B2852BA3A1BC2150FB76B3B5BAF3F3CDC4E9E79AD3013030F0A5792E1E4C410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:35.918{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB1BD1F89348B0DA3ECAAB79A4F68685,SHA256=DDAAF03BE517E51BF886DBA8D480504F29D99141A437D4E03219A83C542055B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:35.384{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F251752F3E158239B7A8239D996DFAB,SHA256=1CA21EF7E2804F55C1FACD6E36A0F51B3599846C08E19C7503587DEFC44DFF1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:36.933{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E85F66230E456A06BAC263647B9FDCEF,SHA256=67AB8DAE70D805742701A8E7A22F0651DDBF5D1A3E64A8CB62EEA442A321F270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:36.431{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638BF3C11C189A9BAB5FA45A3AA22E9A,SHA256=90E1F5A44B6FAD4E7A643B91BB5F9A129E61B25F09AA1836F18AF6F5982C2B2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:35.533{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49841-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:37.948{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE053E2B4CA74BC5BC9AD2461133FBB8,SHA256=C8EFE3F11711768B02ED16EECA7FBFE142E18A4329CEBF5B400E6ACF15177ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:37.462{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D038D7E9E458A1E66E59C581D30A27E8,SHA256=99533C87C3D91F2DE8D861A4EE5FD2D6DD819118F81AABB27CAB0351F403DD88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:38.964{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4BBDD0732C85050E26DA5B029A87DA6,SHA256=F080ADC7A2F422EB07EAC95EDF1E9BC7EBE445AE2B2BBB86F682E123ED3679B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:38.572{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF0A90FEEFFE95A7F26EDF8B60E7B85A,SHA256=D60191CFD732EB43DD59E3B5ADE5B2810AEEDA3D9342E30FB11B9705E47B414C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:39.979{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBBEF1E47704C8F7F2179F61DFD57D03,SHA256=2C10CFD876E1D11511F82714765F14A52A63DE12C94BC197890E74121AD0B7E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:39.681{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ADDBB5EBF4D300FB60D8FFC0D5F1F68,SHA256=9AD74B2919C866D98338E5C742402E75FA2662CAB931C7797B884C88C290F2B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:40.995{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88DF0D533AF13AE94DADDAB043A4C305,SHA256=252ADAF009500F763B3EF29A36513AC857AB265A2846F3BBE469C352C8FFEC1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:40.728{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBD169A8154F7E2EEFFA56AE444477C0,SHA256=CCF4F75FA0C6EE463F5930E5516293E5BC4294CF28E5B2029523617CB8C3B93B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:38.085{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61917-false10.0.1.12-8000- 23542300x80000000000000001764836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:41.759{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72909A9195E3CE1C4676E91E566497A2,SHA256=24AD312D1A9D6D3667CAF9FD445ED51E788758CBF40A7DF631AFC0629CB68C1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:40.627{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49842-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001764837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:42.775{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44F548CCCCD3626D0C9DED2967D9C66A,SHA256=E6433C8DC3F20B4C6B76BD1C8B3243FD5F6816471F18623BDE3F16A5B02A319B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:42.010{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B148C637719A6C1E865D7B8786F071BA,SHA256=A2E5514CF2315556CFFB00A8DFCB5D0A9D67AD471FDFF64389A398BD7641E23B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:43.837{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145A7B851B079DA4B3FCAE679868F8CA,SHA256=EA2B2BB7A959FFD5A4E614F61C78F0E919DE793FCA6FCEA578E08918864E6CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:43.025{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247AC812EFEAB63FC8C7D82F06E1FE8E,SHA256=8462DA55EF136DDC3C9CC873DDA499C7F186371A2F49616772EC8EA378F91C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:44.869{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE95FEC7029DB6BF6D8AB40040019AF4,SHA256=5133BC7C5593741B724BBA6EC0443395FAE169AA4DDE2998884F22775015DB52,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001670508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:06:44.744{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69b-0x465d927a) 23542300x80000000000000001670507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:44.041{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1202D8B68AA3DBDAD436EF9776CEAA29,SHA256=4693A1A8A4E9F5C0291DF7041342E4C73B79592B7CE8354E05CCF0FF8F1A2F2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:45.900{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=408BF6696F863073537BDFEB2A470D9C,SHA256=251BE1C6E67AA54A58491DC93C752932E909CCFCF9DFCD40B8706B7CA0229A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:45.056{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DAB4377ED092751F27C225ECC0F8232,SHA256=983B8ECCC952AFC04E785B2445094DDA20365BC89C2151A3CC20F535D329706E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:43.117{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61919-false10.0.1.12-8000- 23542300x80000000000000001764842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:46.916{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54DF1150C8A9FAFF68BABCA44D125C48,SHA256=0F502D1D50B0067F93E9C50F57270B7C80B6C5E14BDA8A9BB02C3B1D9A7CF822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:46.071{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F231CC71177F9F0CBFA08D4C5305867E,SHA256=7E814B84B5BE31040C0681B1076555204F01DB70A257542C22947B72B1A6FE97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:47.947{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107A4088A51FA5620BDDD0954A816D9A,SHA256=A76030F4354B071D165C43EB785261E8DDD80D2F46B69778061D7DB97C5CF454,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:46.611{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49843-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:47.087{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C1E2624D116867A3FE145502315228,SHA256=2F7EFC142153772C7004ABF4B42B9D00F816040C5BCA5BC1DF2A48FE3E483213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:48.994{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5B81551D4B421C45AD11E22D44F9FD,SHA256=87A0C377361924EE00AC6B37577320747D97416E871F10A5E4603E3A9F98492B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:48.212{69CF5F33-BF40-6156-1100-000000000002}1004NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=57F2FCA49482DDA7E9FA30FBF3DB8A42,SHA256=D228093A00B1ACDB1D6A40629E1FF1D01CD6A609CC14AEDECD1A2EB6C8B3F455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:48.102{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FDC5E739E99E26B61E20A674B0EA42,SHA256=D04E3D02A5CB1B3A2501DD40AA5400FA6DD18E5D4CB8436B3316AFE9DDFB18FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.805{69CF5F33-BF40-6156-0D00-000000000002}8243984C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.805{69CF5F33-BF40-6156-0D00-000000000002}8243984C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1300-000000000002}384C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001670575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.680{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D646D5CD1E427FD51956DCC27C68B7CF,SHA256=CB2767D68BF873863A2F18001E2C388AFD4365DB0C3F0C7F6F641146906A9138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.680{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DEFB079182436F2B8795FD8D1E24D8BF,SHA256=6D1A82E801250C53E754A449FE34986015D22A145C01C8500F7A10D717B59341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.508{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C02CA321A29B37F4A344322039E62E0,SHA256=2B449F47592AFBD85DB5833339092831797B819F2422AB872366A8B50C1F96AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.227{69CF5F33-C199-6156-C400-000000000002}1396984C:\Windows\system32\conhost.exe{69CF5F33-C199-6156-C300-000000000002}2852C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.227{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-0F00-000000000002}948C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001670570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.227{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.227{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.227{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.227{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.227{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.227{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.211{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C199-6156-C400-000000000002}1396C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.211{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-C199-6156-C000-000000000002}3300C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.211{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.211{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.211{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.211{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.211{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.211{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.211{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:49.744{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-BF3D-6156-0100-000000000002}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001670555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.211{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.211{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.211{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C199-6156-C300-000000000002}2852C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.211{69CF5F33-BF40-6156-1600-000000000002}12041344C:\Windows\system32\svchost.exe{69CF5F33-C199-6156-C300-000000000002}2852C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.211{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.211{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.196{69CF5F33-C199-6156-C100-000000000002}39723132C:\Windows\system32\conhost.exe{69CF5F33-C199-6156-C000-000000000002}3300C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C199-6156-C200-000000000002}3204C:\Windows\system32\speech_onecore\common\SpeechModelDownload.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF40-6156-1600-000000000002}12041560C:\Windows\system32\svchost.exe{69CF5F33-C199-6156-C200-000000000002}3204C:\Windows\system32\speech_onecore\common\SpeechModelDownload.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C199-6156-C100-000000000002}3972C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0B00-000000000002}6442352C:\Windows\system32\lsass.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0B00-000000000002}6442352C:\Windows\system32\lsass.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C199-6156-C000-000000000002}3300C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF40-6156-1600-000000000002}12041560C:\Windows\system32\svchost.exe{69CF5F33-C199-6156-C000-000000000002}3300C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.180{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001670515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.118{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763CAFE144F07D51B334AD44DFCED3D6,SHA256=7014C14579A9946A02772078A2DF4488FA7899BC558F1B9ACBE3DE96958E26C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.946{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-C19A-6156-CF00-000000000002}1312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.915{69CF5F33-C19A-6156-D000-000000000002}27762140C:\Windows\system32\conhost.exe{69CF5F33-C19A-6156-D400-000000000002}3696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.915{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C19A-6156-D400-000000000002}3696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.915{69CF5F33-C19A-6156-CF00-000000000002}13121624C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe{69CF5F33-C19A-6156-D400-000000000002}3696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.DLL+35491|UNKNOWN(00007FFE6E0B5A07) 354300x80000000000000001670692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:49.693{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49844-false51.124.78.146-443https 10341000x80000000000000001670691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.900{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-C19A-6156-D300-000000000002}2000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.900{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-C19A-6156-D300-000000000002}2000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.884{69CF5F33-C19A-6156-D000-000000000002}27762140C:\Windows\system32\conhost.exe{69CF5F33-C19A-6156-D300-000000000002}2000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.868{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C19A-6156-D300-000000000002}2000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.868{69CF5F33-C19A-6156-CF00-000000000002}13121624C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe{69CF5F33-C19A-6156-D300-000000000002}2000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.DLL+35491|UNKNOWN(00007FFE6E0B5A07) 10341000x80000000000000001670686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.822{69CF5F33-C19A-6156-D200-000000000002}100360C:\Windows\system32\conhost.exe{69CF5F33-C19A-6156-D100-000000000002}2560C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.806{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C19A-6156-D200-000000000002}100C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x80000000000000001670684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.742{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5F8501A887BD6DBE108501DA0AF2CC,SHA256=CD245A03541F22FCCA1D3B8ABA5311DB1C681C23A964644D208E0EA09D694636,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.711{69CF5F33-C19A-6156-D000-000000000002}27762140C:\Windows\system32\conhost.exe{69CF5F33-C19A-6156-CF00-000000000002}1312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.711{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.711{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.711{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.711{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.695{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.695{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.695{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.695{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.695{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.695{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C19A-6156-D100-000000000002}2560C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.695{69CF5F33-C19A-6156-C500-000000000002}34523328C:\Windows\system32\taskhostw.exe{69CF5F33-C19A-6156-D100-000000000002}2560C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01b0|UNKNOWN(00007FFE6E0A15F2) 154100x80000000000000001670671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.707{69CF5F33-C19A-6156-D100-000000000002}2560C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe4.8.4330.0 built by: NET48REL1LAST_BMicrosoft .NET Framework optimization serviceMicrosoft® .NET FrameworkMicrosoft CorporationNGenTask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe" /RuntimeWide /StopEvent:256C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=196F531423F864F990B24F3D3AFA9AA1,SHA256=353C8C617C87A56F93C9914E219BE4E30A45A0DEA8D98BF34C6BD81A6A287916,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{69CF5F33-C19A-6156-C500-000000000002}3452C:\Windows\System32\taskhostw.exetaskhostw.exe 10341000x80000000000000001670670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.695{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C19A-6156-D000-000000000002}2776C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.695{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.695{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.695{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:50.978{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FE57965F2A8B6EFCC4F3B089A9EE64D,SHA256=3FB522020DBF8FDA75E790C65D203F647FCA2BE2C682A7BF9D803E00F789DF4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:50.962{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48E5356AFEA200D45C6AFEA888F28D5A,SHA256=A6C7BC4663394F7C888F2607D675678D58295CA9C729C09926EA97E5E16F19E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:50.056{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DCB78D82AE1B36883D8345AA677B511,SHA256=56D6E99AC9AA901190847A9F315718125F044BBAF177EC5ADE76B91D0605E494,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.695{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.695{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.695{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.695{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.695{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.695{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.695{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C19A-6156-CF00-000000000002}1312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.695{69CF5F33-C19A-6156-C500-000000000002}34523076C:\Windows\system32\taskhostw.exe{69CF5F33-C19A-6156-CF00-000000000002}1312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01b0|UNKNOWN(00007FFE6E0A15F2) 154100x80000000000000001670658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.700{69CF5F33-C19A-6156-CF00-000000000002}1312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe4.8.4330.0 built by: NET48REL1LAST_BMicrosoft .NET Framework optimization serviceMicrosoft® .NET FrameworkMicrosoft CorporationNGenTask.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe" /RuntimeWide /StopEvent:784C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=D2DDF021EE6A8A649FB58F6DD05EDED7,SHA256=AC1B312B5D048DAC81327CF083BDEF2966AA883208455490E73D6E34C932B7D9,IMPHASH=00000000000000000000000000000000{69CF5F33-C19A-6156-C500-000000000002}3452C:\Windows\System32\taskhostw.exetaskhostw.exe 10341000x80000000000000001670657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.399{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C19A-6156-CE00-000000000002}3676C:\Windows\system32\CompatTelRunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.399{69CF5F33-C19A-6156-C600-000000000002}39403944C:\Windows\system32\compattelrunner.exe{69CF5F33-C19A-6156-CE00-000000000002}3676C:\Windows\system32\CompatTelRunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\compattelrunner.exe+53b1|C:\Windows\system32\compattelrunner.exe+3ef9|C:\Windows\system32\compattelrunner.exe+2b7f|C:\Windows\system32\compattelrunner.exe+1522d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001670655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.367{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=20116C4CCA5E3B017570A06088749B06,SHA256=2C8F9901C24ECB13451072FAADC4C50FD1BC291807413052B712B51BFF5692A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.352{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38CDA25DD222984685E6989CC846710C,SHA256=D6A7ADFA21937168BCBD1EB289EE2D944ECC59DBE2129CF002BC0BB25EA02F07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.352{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3245D5E266C97FA401CD7CD77525FECA,SHA256=18888ED3CC520267C0E977B577F9741F9E609B79F1E114ED81E34B81FC889DDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.352{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247A04CE2EBA1473B20BA18FD286AB90,SHA256=70EDE5C7A301A56F0B82DF9ADFFD883262153042622C450B3A127F13E59B1318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.352{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66E081D32BC6DAF0C4F32D36D4DEBAD5,SHA256=BC2F7F360F2D6ED8BDED6824001A5FB1996EDB6B6B6EBD3BEA94BEEEAB4377FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.352{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C2BBE77060251990CBB109389A8118D4,SHA256=EAE7D85C541D7B04BAECB8655CBA550B5F1C23DE0090BF52597190153E537A9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.336{69CF5F33-BF40-6156-1300-000000000002}384NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.logMD5=FCD6BCB56C1689FCEF28B57C22475BAD,SHA256=DE2F256064A0AF797747C2B97505DC0B9F3DF0DE4F489EAC731C23AE9CA9CC31,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 10341000x80000000000000001670648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.242{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C19A-6156-CD00-000000000002}3864C:\Windows\system32\CompatTelRunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.242{69CF5F33-C19A-6156-C600-000000000002}39403944C:\Windows\system32\compattelrunner.exe{69CF5F33-C19A-6156-CD00-000000000002}3864C:\Windows\system32\CompatTelRunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\compattelrunner.exe+53b1|C:\Windows\system32\compattelrunner.exe+3ef9|C:\Windows\system32\compattelrunner.exe+2b7f|C:\Windows\system32\compattelrunner.exe+1522d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.227{69CF5F33-C19A-6156-CB00-000000000002}3528536C:\Windows\system32\conhost.exe{69CF5F33-C19A-6156-CA00-000000000002}3532C:\Windows\system32\disksnapshot.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.227{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.227{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.227{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.227{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.227{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.227{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.227{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.227{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.227{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.227{69CF5F33-C19A-6156-C900-000000000002}35082848C:\Windows\system32\conhost.exe{69CF5F33-C19A-6156-C800-000000000002}2092C:\Windows\system32\dstokenclean.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C19A-6156-CB00-000000000002}3528C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-C19A-6156-C700-000000000002}38963524C:\Windows\system32\conhost.exe{69CF5F33-C19A-6156-C600-000000000002}3940C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF3F-6156-0B00-000000000002}644C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C19A-6156-CA00-000000000002}3532C:\Windows\system32\disksnapshot.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-BF40-6156-1600-000000000002}12042972C:\Windows\system32\svchost.exe{69CF5F33-C19A-6156-CA00-000000000002}3532C:\Windows\system32\disksnapshot.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+2039|c:\windows\system32\UBPM.dll+2be0|c:\windows\system32\UBPM.dll+16d25|c:\windows\system32\UBPM.dll+4552|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.211{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C19A-6156-C900-000000000002}3508C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C19A-6156-C700-000000000002}3896C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C19A-6156-C800-000000000002}2092C:\Windows\system32\dstokenclean.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF40-6156-1600-000000000002}12042972C:\Windows\system32\svchost.exe{69CF5F33-C19A-6156-C800-000000000002}2092C:\Windows\system32\dstokenclean.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+2039|c:\windows\system32\UBPM.dll+2be0|c:\windows\system32\UBPM.dll+16d25|c:\windows\system32\UBPM.dll+4552|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C19A-6156-C600-000000000002}3940C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF40-6156-1600-000000000002}12042972C:\Windows\system32\svchost.exe{69CF5F33-C19A-6156-C600-000000000002}3940C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+2039|c:\windows\system32\UBPM.dll+2be0|c:\windows\system32\UBPM.dll+16d25|c:\windows\system32\UBPM.dll+4552|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.195{69CF5F33-BF3F-6156-0C00-000000000002}740800C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001670578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:50.133{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFA64D46F511A363AB0EC7E1B3596157,SHA256=B65F057219DB19FA17BB89FFFDB1C00D190EE65AD2E8255AC1AA4CCE7E5F9C30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:51.868{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-C19A-6156-D100-000000000002}2560C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:51.837{69CF5F33-C19A-6156-D200-000000000002}100360C:\Windows\system32\conhost.exe{69CF5F33-C19B-6156-D600-000000000002}3136C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:51.837{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C19B-6156-D600-000000000002}3136C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:51.837{69CF5F33-C19A-6156-D100-000000000002}25601828C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe{69CF5F33-C19B-6156-D600-000000000002}3136C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.DLL+3d7ae(wow64)|UNKNOWN(00000000010C4853)|UNKNOWN(00000000010C4504)|UNKNOWN(00000000010C5A9B)|UNKNOWN(00000000010C28F8)|UNKNOWN(00000000010C0F66)|UNKNOWN(00000000010C0950)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+f066(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1230a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+185eb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+199407(wow64) 10341000x80000000000000001670704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:51.806{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-C19B-6156-D500-000000000002}2012C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:51.806{69CF5F33-BF3F-6156-0B00-000000000002}6443428C:\Windows\system32\lsass.exe{69CF5F33-C19B-6156-D500-000000000002}2012C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:51.774{69CF5F33-C19A-6156-D200-000000000002}100360C:\Windows\system32\conhost.exe{69CF5F33-C19B-6156-D500-000000000002}2012C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:51.774{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C19B-6156-D500-000000000002}2012C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:51.774{69CF5F33-C19A-6156-D100-000000000002}25601828C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe{69CF5F33-C19B-6156-D500-000000000002}2012C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.DLL+3d7ae(wow64)|UNKNOWN(00000000010C4853)|UNKNOWN(00000000010C4504)|UNKNOWN(00000000010C2103)|UNKNOWN(00000000010C0F66)|UNKNOWN(00000000010C0950)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+f066(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1230a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+185eb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+199407(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1bb96a(wow64) 23542300x80000000000000001670699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:51.556{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D646D5CD1E427FD51956DCC27C68B7CF,SHA256=CB2767D68BF873863A2F18001E2C388AFD4365DB0C3F0C7F6F641146906A9138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:51.431{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38CDA25DD222984685E6989CC846710C,SHA256=D6A7ADFA21937168BCBD1EB289EE2D944ECC59DBE2129CF002BC0BB25EA02F07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:51.368{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D6879FE391DB1FEDAD3CEE9AE3EF14,SHA256=90934DD517FD95A858C1AD8C3D0BBAA09975E0D504280AE7ED32D8B84D7F86CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:51.962{5EBD8912-BF43-6156-1600-000000000002}12964108C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:51.962{5EBD8912-BF43-6156-1600-000000000002}12964108C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:51.931{5EBD8912-BF43-6156-1200-000000000002}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E0E7C672D4FEB541FF348E1ADE9203C4,SHA256=173A55F73E79F4CA790BCBC3593914800091501E31A4338FD332604FD351D6DC,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001764854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:49.744{5EBD8912-BF43-6156-1200-000000000002}404WIN-DC-4290fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 354300x80000000000000001764853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:49.744{5EBD8912-BF3D-6156-0100-000000000002}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61921-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001764852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:49.744{5EBD8912-BF3D-6156-0100-000000000002}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61921-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001764851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:49.317{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54265318- 354300x80000000000000001764850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:49.148{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61920-false10.0.1.12-8000- 23542300x80000000000000001764849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:51.072{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504DFBF3A9C3D0B8FA8EF48815BBD281,SHA256=AF5E469336A02E86565AB6969A7EBB26BD071624B2A7190162920A5B27DC22C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:51.675{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49845-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:52.852{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B56AE74745BA5D2A13F186632A950E8D,SHA256=38A97C7F52C28E937207184EB6E3C16FA75CE3F1833A3DEAD008880D2C2861BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:52.587{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3C2CB7D8A09AB60FB861E1E520B4EF,SHA256=264926519A8E3C06D6E96E77C31EC5ACE3292F6B449F65D3E2992C6209D5D095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001764918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.712{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FE57965F2A8B6EFCC4F3B089A9EE64D,SHA256=3FB522020DBF8FDA75E790C65D203F647FCA2BE2C682A7BF9D803E00F789DF4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.603{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.603{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.603{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001764914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.603{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.603{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.603{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.603{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.603{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.603{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.556{5EBD8912-BF43-6156-1600-000000000002}1296NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=9E0C5DA42DDA8ABDBA5DDB8DB4A77F84,SHA256=F1B377F1146510EF9061398EBC451AB81ADD27D945077585B3C3F91AC436BA7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.540{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-C19C-6156-F600-000000000002}3132C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.478{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB32CB53F44C78E4DF8200444D07BD79,SHA256=D920ECA6FFB5A865458E74F338DFE15DB1707CFDC0F57CAB1EAC36BD3AAB9510,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001764905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.150{5EBD8912-C19C-6156-FA00-000000000002}56085420C:\Windows\system32\conhost.exe{5EBD8912-C19C-6156-F900-000000000002}5612C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.150{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.150{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.150{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.150{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.134{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C19C-6156-FA00-000000000002}5608C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.134{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.134{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.134{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.134{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.134{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C19C-6156-F900-000000000002}5612C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.134{5EBD8912-BF43-6156-1600-000000000002}12961944C:\Windows\system32\svchost.exe{5EBD8912-C19C-6156-F900-000000000002}5612C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.134{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.134{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.134{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.119{5EBD8912-C19C-6156-F700-000000000002}59926064C:\Windows\system32\conhost.exe{5EBD8912-C19C-6156-F600-000000000002}3132C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.119{5EBD8912-C19C-6156-F500-000000000002}26284944C:\Windows\system32\conhost.exe{5EBD8912-C19C-6156-F400-000000000002}5980C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.119{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C19C-6156-F800-000000000002}5252C:\Windows\system32\speech_onecore\common\SpeechModelDownload.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.119{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-C19C-6156-F800-000000000002}5252C:\Windows\system32\speech_onecore\common\SpeechModelDownload.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.119{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C19C-6156-F700-000000000002}5992C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.119{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.119{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.119{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.119{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C19C-6156-F500-000000000002}2628C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C19C-6156-F600-000000000002}3132C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-C19C-6156-F600-000000000002}3132C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001764870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:50.824{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54254723- 10341000x80000000000000001764869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C19C-6156-F400-000000000002}5980C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-C19C-6156-F400-000000000002}5980C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.103{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.087{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A908DD7D05A7C5D3903D64272E7D07,SHA256=495BBCB8D512002CE707DAD08847A0B67BD8A7DAC3DA4428DD0EC3313497A1AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:53.602{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E4A0387B341D1A1CAFBF403490F0C39,SHA256=1FEC7B447C5D447BB383BFB0FF9F6F8FD736E55183066536CE65077D9610C88B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001765082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.978{5EBD8912-C19D-6156-0D01-000000000002}53405060C:\Windows\system32\conhost.exe{5EBD8912-C19D-6156-1001-000000000002}5688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.978{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C19D-6156-1001-000000000002}5688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.978{5EBD8912-C19D-6156-0C01-000000000002}53365736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe{5EBD8912-C19D-6156-1001-000000000002}5688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.DLL+35491|UNKNOWN(00007FF888625A07) 10341000x80000000000000001765079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.931{5EBD8912-C19D-6156-0F01-000000000002}53564532C:\Windows\system32\conhost.exe{5EBD8912-C19D-6156-0E01-000000000002}4892C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.915{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C19D-6156-0F01-000000000002}5356C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x80000000000000001765077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.869{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F7AFB3D23FF988B011CB38AE3ACAB48,SHA256=54DBFD93B759AA8BD8B8534EA47EE5837D0DEBAD3D04D49B728DFA229EE941F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001765076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.775{5EBD8912-C19D-6156-0D01-000000000002}53405060C:\Windows\system32\conhost.exe{5EBD8912-C19D-6156-0C01-000000000002}5336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.775{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.775{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.775{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.775{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.775{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C19D-6156-0E01-000000000002}4892C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.775{5EBD8912-C19D-6156-FE00-000000000002}46005348C:\Windows\system32\taskhostw.exe{5EBD8912-C19D-6156-0E01-000000000002}4892C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01b0|UNKNOWN(00007FF8886315F2) 154100x80000000000000001765069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.780{5EBD8912-C19D-6156-0E01-000000000002}4892C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe4.8.4330.0 built by: NET48REL1LAST_BMicrosoft .NET Framework optimization serviceMicrosoft® .NET FrameworkMicrosoft CorporationNGenTask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe" /RuntimeWide /StopEvent:320C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=196F531423F864F990B24F3D3AFA9AA1,SHA256=353C8C617C87A56F93C9914E219BE4E30A45A0DEA8D98BF34C6BD81A6A287916,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5EBD8912-C19D-6156-FE00-000000000002}4600C:\Windows\System32\taskhostw.exetaskhostw.exe 10341000x80000000000000001765068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.775{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C19D-6156-0D01-000000000002}5340C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.759{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.759{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.759{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C19D-6156-0C01-000000000002}5336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.759{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.759{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.759{5EBD8912-C19D-6156-FE00-000000000002}46005288C:\Windows\system32\taskhostw.exe{5EBD8912-C19D-6156-0C01-000000000002}5336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01b0|UNKNOWN(00007FF8886315F2) 154100x80000000000000001765061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.770{5EBD8912-C19D-6156-0C01-000000000002}5336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe4.8.4330.0 built by: NET48REL1LAST_BMicrosoft .NET Framework optimization serviceMicrosoft® .NET FrameworkMicrosoft CorporationNGenTask.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe" /RuntimeWide /StopEvent:412C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=D2DDF021EE6A8A649FB58F6DD05EDED7,SHA256=AC1B312B5D048DAC81327CF083BDEF2966AA883208455490E73D6E34C932B7D9,IMPHASH=00000000000000000000000000000000{5EBD8912-C19D-6156-FE00-000000000002}4600C:\Windows\System32\taskhostw.exetaskhostw.exe 10341000x80000000000000001765060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.759{5EBD8912-BFAA-6156-8800-000000000002}10163420C:\Windows\System32\RuntimeBroker.exe{5EBD8912-BF43-6156-1100-000000000002}444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001765059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.759{5EBD8912-BFAA-6156-8800-000000000002}10163420C:\Windows\System32\RuntimeBroker.exe{5EBD8912-BF43-6156-1100-000000000002}444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x80000000000000001765058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.619{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BEA5F0A51DC14FF3E806599FA7692E28,SHA256=0413BCD3D12EC7CE37C38C52706C67AD850EDD86DAA7840D52ADEB4D1C3E2F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.603{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7CE4837B97861244EDD4DEAF15A621E2,SHA256=1433E3FBB6097742FFA4A8CB05CA3583C75A0C7067FA52B011D350C91215D679,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001765056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.525{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C19D-6156-0B01-000000000002}5276C:\Windows\system32\CompatTelRunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.525{5EBD8912-C19D-6156-FF00-000000000002}37243732C:\Windows\system32\compattelrunner.exe{5EBD8912-C19D-6156-0B01-000000000002}5276C:\Windows\system32\CompatTelRunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\compattelrunner.exe+53b1|C:\Windows\system32\compattelrunner.exe+3ef9|C:\Windows\system32\compattelrunner.exe+2b7f|C:\Windows\system32\compattelrunner.exe+1522d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.494{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.494{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.494{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.494{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.494{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.494{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.494{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001765047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.415{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E0B11C03E6009C86E18EF9ED5C7F6F1E,SHA256=F69352E33264509B4F3238239D81317A0004AD1B5BA6D097FFCFD2B0A1135931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.415{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5F77C99A2E34E16E1E9413ABFB729DD9,SHA256=9FDE7B12AB86FE295FAF9ADBCD2CF2CEC58D7FECF80D5C50B61F1AF6AB224427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.400{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6C83689F8FF597A7C4DAB3901E80C9D3,SHA256=E941BB0D9F646A4191A0354DD9C4E19D90CF9E2C426C5C9C62FA14472DD41290,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001765044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.384{5EBD8912-C19D-6156-0801-000000000002}14084336C:\Windows\System32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+7b27|c:\windows\system32\appxdeploymentserver.dll+2db00|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115046|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.369{5EBD8912-BF43-6156-1600-000000000002}12961364C:\Windows\system32\svchost.exe{5EBD8912-C19D-6156-0A01-000000000002}5772C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.369{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-C19D-6156-0A01-000000000002}5772C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001765041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.369{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=30348F734D9683C41D3F788060A1D9B7,SHA256=6339DB0777E55527091FF6AABBCD7DF68666A1F7781863EBB5A2ECA6FE032491,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001765040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.369{5EBD8912-C19D-6156-0A01-000000000002}57725408C:\Windows\system32\conhost.exe{5EBD8912-C19D-6156-0901-000000000002}6136C:\Windows\System32\sdiagnhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.353{5EBD8912-C19D-6156-0801-000000000002}14084336C:\Windows\System32\svchost.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115046|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001765038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.353{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=30348F734D9683C41D3F788060A1D9B7,SHA256=6339DB0777E55527091FF6AABBCD7DF68666A1F7781863EBB5A2ECA6FE032491,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001765037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.353{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-C19D-6156-0A01-000000000002}5772C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x80000000000000001765036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.353{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=553D1819430917BF6DBBB3B15E1D524A,SHA256=0CEF1925466D749B11CAA835074B41176BFC3FEDD689A8F3A4A48AE6D4C58F6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.353{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B39547C032776848EA22DB5F21959C40,SHA256=4FFB404C12BCF0B98425100052CF6435B223EF791E42034FE68238826DDBE657,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001765034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.353{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-C19D-6156-0901-000000000002}6136C:\Windows\System32\sdiagnhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.337{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-C19D-6156-0901-000000000002}6136C:\Windows\System32\sdiagnhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.337{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.337{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.337{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.337{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.337{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C19D-6156-0901-000000000002}6136C:\Windows\System32\sdiagnhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.337{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-C19D-6156-0901-000000000002}6136C:\Windows\System32\sdiagnhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001765026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.337{5EBD8912-C19D-6156-0901-000000000002}6136C:\Windows\System32\sdiagnhost.exe10.0.14393.0 (rs1_release.160715-1616)Scripted Diagnostics Native HostMicrosoft® Windows® Operating SystemMicrosoft Corporationsdiagnhost.exeC:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=C91529A7EB209224BF6D6D47A4620865,SHA256=6FEDAAF41148F8E0803451B44AA5270AE6F96BF6D31CB81B3FE9459D2239E54E,IMPHASH=A625AFC217C115D82C4B28A4564D88A8{5EBD8912-BF43-6156-0C00-000000000002}844C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001765025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.322{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.322{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-1300-000000000002}504C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001765023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.259{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E885E649F2CD2A28E7AF507AB501F14E,SHA256=2D63F6E2DAD08B1F81548BBCFEA0B040AEDA9E7F3624C0A85039454F4D227E83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001765022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.244{5EBD8912-BF41-6156-0A00-000000000002}6282712C:\Windows\system32\services.exe{5EBD8912-C19D-6156-0801-000000000002}1408C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.244{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-C19D-6156-0801-000000000002}1408C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001765020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.244{5EBD8912-C19D-6156-FD00-000000000002}5412C:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\TS_WERQueue.ps12021-10-01 08:06:53.244 11241100x80000000000000001765019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.244{5EBD8912-C19D-6156-FD00-000000000002}5412C:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\TS_InaccurateSystemTime.ps12021-10-01 08:06:53.244 10341000x80000000000000001765018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.244{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C19D-6156-0801-000000000002}1408C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.244{5EBD8912-BF41-6156-0A00-000000000002}6282704C:\Windows\system32\services.exe{5EBD8912-C19D-6156-0801-000000000002}1408C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001765016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.244{5EBD8912-C19D-6156-FD00-000000000002}5412C:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\TS_DiagnosticHistory.ps12021-10-01 08:06:53.244 11241100x80000000000000001765015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.244{5EBD8912-C19D-6156-FD00-000000000002}5412C:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\RS_UserWERQueue.ps12021-10-01 08:06:53.244 10341000x80000000000000001765014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.244{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.244{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.244{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.244{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001765010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.244{5EBD8912-C19D-6156-FD00-000000000002}5412C:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\RS_UserDiagnosticHistory.ps12021-10-01 08:06:53.244 11241100x80000000000000001765009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.228{5EBD8912-C19D-6156-FD00-000000000002}5412C:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\RS_SyncSystemTime.ps12021-10-01 08:06:53.228 10341000x80000000000000001765008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.228{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.228{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.228{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.228{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001765004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.228{5EBD8912-C19D-6156-FD00-000000000002}5412C:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\RS_MachineWERQueue.ps12021-10-01 08:06:53.228 11241100x80000000000000001765003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.228{5EBD8912-C19D-6156-FD00-000000000002}5412C:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\RS_AdminDiagnosticHistory.ps12021-10-01 08:06:53.228 11241100x80000000000000001765002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:06:53.228{5EBD8912-C19D-6156-FD00-000000000002}5412C:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\DiagPackage.dll2021-10-01 08:06:53.228 11241100x80000000000000001765001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.228{5EBD8912-C19D-6156-FD00-000000000002}5412C:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\CL_Utility.ps12021-10-01 08:06:53.228 10341000x80000000000000001765000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.212{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C19D-6156-0701-000000000002}5000C:\Windows\system32\CompatTelRunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.212{5EBD8912-C19D-6156-FF00-000000000002}37243732C:\Windows\system32\compattelrunner.exe{5EBD8912-C19D-6156-0701-000000000002}5000C:\Windows\system32\CompatTelRunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\compattelrunner.exe+53b1|C:\Windows\system32\compattelrunner.exe+3ef9|C:\Windows\system32\compattelrunner.exe+2b7f|C:\Windows\system32\compattelrunner.exe+1522d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.197{5EBD8912-BFA9-6156-8100-000000000002}37161076C:\Windows\system32\csrss.exe{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.197{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.197{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.197{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.197{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.197{5EBD8912-C19D-6156-0501-000000000002}50242456C:\Windows\system32\conhost.exe{5EBD8912-C19D-6156-0301-000000000002}5760C:\Windows\system32\disksnapshot.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.197{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.197{5EBD8912-C19D-6156-0201-000000000002}51523320C:\Windows\system32\conhost.exe{5EBD8912-C19D-6156-0001-000000000002}5480C:\Windows\system32\dstokenclean.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.197{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.197{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.197{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.197{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.181{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.181{5EBD8912-BF43-6156-1600-000000000002}12961864C:\Windows\system32\svchost.exe{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+108c6|c:\windows\system32\UBPM.dll+d439|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+2039|c:\windows\system32\UBPM.dll+2be0|c:\windows\system32\UBPM.dll+16d25|c:\windows\system32\UBPM.dll+4552|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.181{5EBD8912-C19D-6156-0101-000000000002}43802128C:\Windows\system32\conhost.exe{5EBD8912-C19D-6156-FF00-000000000002}3724C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.181{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.181{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.181{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.181{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C19D-6156-0501-000000000002}5024C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.181{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.165{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.165{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.165{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.165{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.165{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.165{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.165{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.165{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.165{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.165{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.165{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.165{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.165{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C19D-6156-0301-000000000002}5760C:\Windows\system32\disksnapshot.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.165{5EBD8912-BF43-6156-1600-000000000002}12961864C:\Windows\system32\svchost.exe{5EBD8912-C19D-6156-0301-000000000002}5760C:\Windows\system32\disksnapshot.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+2039|c:\windows\system32\UBPM.dll+2be0|c:\windows\system32\UBPM.dll+16d25|c:\windows\system32\UBPM.dll+4552|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.150{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C19D-6156-0201-000000000002}5152C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.150{5EBD8912-BF43-6156-1600-000000000002}12962024C:\Windows\system32\svchost.exe{5EBD8912-C19D-6156-FB00-000000000002}4964C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.150{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-C19D-6156-FB00-000000000002}4964C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.150{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.150{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.150{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.150{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.150{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C19D-6156-0101-000000000002}4380C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.150{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C19D-6156-0001-000000000002}5480C:\Windows\system32\dstokenclean.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.150{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.150{5EBD8912-BF43-6156-1600-000000000002}12961864C:\Windows\system32\svchost.exe{5EBD8912-C19D-6156-0001-000000000002}5480C:\Windows\system32\dstokenclean.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+2039|c:\windows\system32\UBPM.dll+2be0|c:\windows\system32\UBPM.dll+16d25|c:\windows\system32\UBPM.dll+4552|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.150{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.150{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.150{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.150{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.150{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.150{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C19D-6156-FF00-000000000002}3724C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.150{5EBD8912-BF43-6156-1600-000000000002}12961864C:\Windows\system32\svchost.exe{5EBD8912-C19D-6156-FF00-000000000002}3724C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+2039|c:\windows\system32\UBPM.dll+2be0|c:\windows\system32\UBPM.dll+16d25|c:\windows\system32\UBPM.dll+4552|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001764934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:51.408{5EBD8912-BF43-6156-0F00-000000000002}352C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.89.190.250-56099-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001764933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BFA9-6156-8100-000000000002}37161076C:\Windows\system32\csrss.exe{5EBD8912-C19D-6156-FB00-000000000002}4964C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C19D-6156-FB00-000000000002}4964C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001764921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-1600-000000000002}12961864C:\Windows\system32\svchost.exe{5EBD8912-C19D-6156-FB00-000000000002}4964C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+108c6|c:\windows\system32\UBPM.dll+d439|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+2039|c:\windows\system32\UBPM.dll+2be0|c:\windows\system32\UBPM.dll+16d25|c:\windows\system32\UBPM.dll+4552|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001764920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.134{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001764919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.103{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64FE0BFA3AFB656DC1ECC11E40E39A1,SHA256=8C72EFB6230AFEC2303E47DB94712F230BBDBBBD9C923A1D66648B233F039B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:54.758{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F63A2DAD8A884E83743FB153DBC8F4E,SHA256=AE7C861390AD30C27843C3A7B2A075DC13FDB59DF59E50D78F75DBB9326C286E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001765110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.978{5EBD8912-C19D-6156-0F01-000000000002}53564532C:\Windows\system32\conhost.exe{5EBD8912-C19E-6156-1301-000000000002}5492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.962{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C19E-6156-1301-000000000002}5492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.962{5EBD8912-C19D-6156-0E01-000000000002}48925332C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe{5EBD8912-C19E-6156-1301-000000000002}5492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.DLL+3d7ae(wow64)|UNKNOWN(00000000018D4853)|UNKNOWN(00000000018D4504)|UNKNOWN(00000000018D2103)|UNKNOWN(00000000018D0F66)|UNKNOWN(00000000018D0950)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+f066(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1230a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+185eb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+199407(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1bb96a(wow64) 10341000x80000000000000001765107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.947{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C19E-6156-1201-000000000002}5812C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.947{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-C19E-6156-1201-000000000002}5812C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.931{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.931{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.931{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.759{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-C19D-6156-0901-000000000002}6136C:\Windows\System32\sdiagnhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.759{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-C19D-6156-0901-000000000002}6136C:\Windows\System32\sdiagnhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001765100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.712{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CC7DB6BD3BB7725362E08956CA4C07A4,SHA256=6212C213E427AC70398A3E1A3EFB9FAD8BB505F631517FFF56D525378663A0EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.681{5EBD8912-BF53-6156-2C00-000000000002}3016NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000001765098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-10-01 08:06:54.509{5EBD8912-C19D-6156-0901-000000000002}6136\PSHost.132775492133375004.6136.DefaultAppDomain.sdiagnhostC:\Windows\System32\sdiagnhost.exe 23542300x80000000000000001765097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.290{5EBD8912-C19D-6156-0901-000000000002}6136ATTACKRANGE\AdministratorC:\Windows\System32\sdiagnhost.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fzljqokr.ef5.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.290{5EBD8912-C19D-6156-0901-000000000002}6136ATTACKRANGE\AdministratorC:\Windows\System32\sdiagnhost.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_d5iyy0nl.ze4.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001765095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.244{5EBD8912-C19D-6156-0901-000000000002}6136C:\Windows\System32\sdiagnhost.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_d5iyy0nl.ze4.ps12021-10-01 08:06:54.244 23542300x80000000000000001765094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.228{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2843254F1EF65AFED4D065A9F9075988,SHA256=0D9A0551C25BED49F8A90A453356F0E68D4F2E9B72F0FD015B031F5BDFE27BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.228{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C4D848801497A958F43BFA2AB91DD2,SHA256=BF4032CBD9F2EC0DA6FF8C157690AEA62550C9CB2E74AAD23600CB878474431D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.616{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61922-false51.124.78.146-443https 354300x80000000000000001765091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:52.608{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local62854- 10341000x80000000000000001765090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.087{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-C19D-6156-0C01-000000000002}5336C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.025{5EBD8912-C19D-6156-0D01-000000000002}53405060C:\Windows\system32\conhost.exe{5EBD8912-C19E-6156-1101-000000000002}2400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.025{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C19E-6156-1101-000000000002}2400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.025{5EBD8912-C19D-6156-0C01-000000000002}53365736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe{5EBD8912-C19E-6156-1101-000000000002}2400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.DLL+35491|UNKNOWN(00007FF888625A07) 10341000x80000000000000001765086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.025{5EBD8912-BF43-6156-1600-000000000002}12961364C:\Windows\system32\svchost.exe{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.025{5EBD8912-BF43-6156-1600-000000000002}12961320C:\Windows\system32\svchost.exe{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.009{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-C19D-6156-1001-000000000002}5688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.009{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-C19D-6156-1001-000000000002}5688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001670715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:55.820{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF441D1FFBB3326A578BF0C2E01B9BF,SHA256=0C77B917D52C713C28F8C07D519A0BF54EA33FD07777B5FACC0B6F4053969122,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:55.477{69CF5F33-C19A-6156-CE00-000000000002}36762816C:\Windows\system32\CompatTelRunner.exe{69CF5F33-C19A-6156-C600-000000000002}3940C:\Windows\system32\compattelrunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\invagent.dll+427c2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001765141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.478{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D625F6D342179853A6F505D6507312EB,SHA256=757B80DD467A34C738754EB999B24385BF933B9E5818FDC58E22A059B180A75A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.337{5EBD8912-C19D-6156-FD00-000000000002}5412ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\TS_WERQueue.ps1MD5=C65CE632A3A35DF1E2E687AA94432C58,SHA256=46361B7489F075D4D426B33932A7A94D57F5E03125781E562027AA6D0C448A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.337{5EBD8912-C19D-6156-FD00-000000000002}5412ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\TS_InaccurateSystemTime.ps1MD5=D1F499EF5B4A1B0FE5AC6B9B06D14B36,SHA256=437DEBEAE0F2B876D887A22CE26F44701CEB314E7B22D0292D1527B31805F304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.337{5EBD8912-C19D-6156-FD00-000000000002}5412ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\TS_DiagnosticHistory.ps1MD5=6F42EFE37F2F73BC4D5531A5906844C5,SHA256=00915C9BABA87359A458D23E18F412647852A3260280A0D64AF5E91307C01BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.337{5EBD8912-C19D-6156-FD00-000000000002}5412ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\RS_UserWERQueue.ps1MD5=014BB59898D97EE5E9D0C3D598879659,SHA256=136183A5D64C516CEE0A3CB893ADFA5D083CD4B74113D7665AFEC6E4EDD55C03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.337{5EBD8912-C19D-6156-FD00-000000000002}5412ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\RS_UserDiagnosticHistory.ps1MD5=3A3EA51AC79C212F298ED11E5312F4EF,SHA256=4AB9317A0AAE09510C150918C1757C7492C93606268A5E33F56031C244632A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.337{5EBD8912-C19D-6156-FD00-000000000002}5412ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\RS_SyncSystemTime.ps1MD5=4E88B2A8EC2119CE19BE4F646887CD5B,SHA256=DC504537A34A8D3114D414B9681AC1936D59E497DBF39E8BE03760010C978DA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.322{5EBD8912-C19D-6156-FD00-000000000002}5412ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\RS_MachineWERQueue.ps1MD5=4EAD5FF0DE8201DAA5C771C9700C45AB,SHA256=77467AE995127372D335D7A5406EBD98CD3385CA7F8644E1342643330EC93341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.322{5EBD8912-C19D-6156-FD00-000000000002}5412ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\RS_AdminDiagnosticHistory.ps1MD5=DAF3CAF9FEE184902F88CF68C916254C,SHA256=659EBF584A5E0D31590D848EA13A3FAFF10C88F2D129BAA3C2A1635BE0E17613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.322{5EBD8912-C19D-6156-FD00-000000000002}5412ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\result\results.xslMD5=310E1DA2344BA6CA96666FB639840EA9,SHA256=67401342192BABC27E62D4C1E0940409CC3F2BD28F77399E71D245EAE8D3F63C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.322{5EBD8912-C19D-6156-FD00-000000000002}5412ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\en-US\DiagPackage.dll.muiMD5=2051581CB72B3263DE14B39BF544D837,SHA256=06156E74F9B4085C3B62841C8D55330CF485E991D595C225EBCD9819D8CEEFAD,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001765130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.322{5EBD8912-C19D-6156-FD00-000000000002}5412ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\en-US\CL_LocalizationData.psd1MD5=F7DA47F7028569DC57D07218D1349F34,SHA256=C2F24774D7F6E61051C9A0C6E1A8A9F6B7EBA7F7DD6EFB23AD5FED146C721BB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.306{5EBD8912-C19D-6156-FD00-000000000002}5412ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\DiagPackage.dllMD5=9BD8A20107B68588946B2553F6823496,SHA256=3E9FDB72C6867646C634CF61DC11A42C776A643497474DD46FF5A478B66B20FE,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001765128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.306{5EBD8912-C19D-6156-FD00-000000000002}5412ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\DiagPackage.diagpkgMD5=68F9409969EEFE28CD847DF2EF085DB5,SHA256=F2981D9A64C0557FA69889434AC56661F257BAD72F48500DCCE57DA859C3E1B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.306{5EBD8912-C19D-6156-FD00-000000000002}5412ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Windows\Temp\SDIAG_88436023-46a7-4dc0-9419-1d84e336b89e\CL_Utility.ps1MD5=1DCB96BED7D20DF592189176D6E200FD,SHA256=6BA73A35A33A242CEFC66637565ECD5356BDBB4FE71263328691D708615889ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.835{5EBD8912-BF43-6156-1100-000000000002}444C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local61925-false184.30.213.87a184-30-213-87.deploy.static.akamaitechnologies.com443https 354300x80000000000000001765125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.818{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64499- 354300x80000000000000001765124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.572{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61924-false93.184.220.29-80http 354300x80000000000000001765123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.544{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61923-false20.190.160.75-443https 354300x80000000000000001765122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:53.533{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local62124- 23542300x80000000000000001765121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.212{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CE0DEC1253FEFC94A49B8D56D8A76480,SHA256=AF31566981A8CD29B53B4E71A68D9712CA98D9386C608B2AC8D6C5A7A993A4CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001765120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.103{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-C19D-6156-0E01-000000000002}4892C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.056{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-C19E-6156-1201-000000000002}5812C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.056{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-C19E-6156-1201-000000000002}5812C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.040{5EBD8912-C19D-6156-0F01-000000000002}53564532C:\Windows\system32\conhost.exe{5EBD8912-C19F-6156-1401-000000000002}5696C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.040{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C19F-6156-1401-000000000002}5696C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.040{5EBD8912-C19D-6156-0E01-000000000002}48925332C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe{5EBD8912-C19F-6156-1401-000000000002}5696C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.DLL+3d7ae(wow64)|UNKNOWN(00000000018D4853)|UNKNOWN(00000000018D4504)|UNKNOWN(00000000018D5A9B)|UNKNOWN(00000000018D28F8)|UNKNOWN(00000000018D0F66)|UNKNOWN(00000000018D0950)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+f066(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1230a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+185eb(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+199407(wow64) 10341000x80000000000000001765114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.040{5EBD8912-BF43-6156-1600-000000000002}12964584C:\Windows\system32\svchost.exe{5EBD8912-C19E-6156-1201-000000000002}5812C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.009{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-C19E-6156-1301-000000000002}5492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.009{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-C19E-6156-1301-000000000002}5492C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.009{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-C19E-6156-1201-000000000002}5812C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:56.508{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:56.508{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:56.508{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:56.508{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:56.508{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:56.508{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:56.508{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:56.508{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:56.508{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:56.508{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:56.508{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1600-000000000002}1204C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001765147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:54.664{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61926-false10.0.1.12-8089- 10341000x80000000000000001765146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:56.478{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:56.478{5EBD8912-BF41-6156-0B00-000000000002}636804C:\Windows\system32\lsass.exe{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001765144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:56.259{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6421695362F0D5855306085E644B151E,SHA256=C2F1FF6030FE4254CFD22E235A09F931E90DE68671C6CAFC3FA223C8B4E66E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:56.103{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=38DA186C58C4541AEA140FA907B7D867,SHA256=B866ABD25EB331C866EAE617EBB1938D2C19901BCAB91DC318AD3178CF01C1B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:56.103{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A022180254CC358755EE498FB65BCCA,SHA256=1FFFD241F06232F2AEC091D71C656138503BCEE7489DCE403D4E89BEE9515E75,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.070{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61927-false10.0.1.12-8000- 354300x80000000000000001765150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.054{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local60733- 354300x80000000000000001765149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:55.054{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local62660- 23542300x80000000000000001765148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:57.275{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=146590259992348DA113B784CECA228A,SHA256=6983801F257A958E78B086EE9F09EA6ECD2246B94F80C97FFE50ECC741CBF12C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:57.898{69CF5F33-BF40-6156-1A00-000000000002}1872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:57.539{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF61F8374F66FDEE309B7E3B25E3DA05,SHA256=67755CB37F6246F47B2D78FF84CC67DF91C522E8C845311BFA74C752B588EAC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:57.039{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37861DF8CD981C37FFC86702E043A000,SHA256=EB81CE63186D0CA96E91DA8D1B5EC5BBEECE183C90D6A66A99597BA71ADAEB2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001765153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:58.603{5EBD8912-C19D-6156-0B01-000000000002}52762308C:\Windows\system32\CompatTelRunner.exe{5EBD8912-C19D-6156-FF00-000000000002}3724C:\Windows\system32\compattelrunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\invagent.dll+427c2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001765152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:58.509{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CFC067C5E939D27045E7540F960FAD8,SHA256=173639531AF2CDD268744C018B022E328C0A8D5AE95ABCE3042D4F75D91B68DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:58.101{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B699FD99C1AE0AD35471026E768BBDD6,SHA256=A64910A8906E30B804CEF10577D769CD19C62F7AE1BA95D8040971F720E7A78E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:06:59.665{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D34D452863D5F063AA96DB88B8044982,SHA256=B5431DFDE511F13C1DF84752605836C448D3CE558C81FFB0887AF5F2BED55C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:59.257{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=070E4854B3EF9851D5C7B9666DC6C37B,SHA256=BA3D76785D584FEF414292CF7D7FCC9BC66D68EE38977522000E3DFCBE807F1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:58.331{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49847-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001670731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:06:57.675{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49846-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001765155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:00.665{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=547E448BAD50B2B864F3FD7A827B79D1,SHA256=5F090E1E0E48166815577C7E06760D458887343E860248980E9E92AAC4274C01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.944{69CF5F33-C1A4-6156-D900-000000000002}28844088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.647{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C1A4-6156-D900-000000000002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.632{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.632{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.632{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.632{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.632{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.632{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.632{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.632{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.632{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.632{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C1A4-6156-D900-000000000002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.632{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C1A4-6156-D900-000000000002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001670748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.632{69CF5F33-C1A4-6156-D900-000000000002}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001670747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.288{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8EA3D02AD4A3CB97B164DFF5A3FD353,SHA256=271E740F08FB1A16FE6E6DFD691C39F983C0EAC41641DBF2ADE0EE529C2DBDAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.007{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C1A4-6156-D800-000000000002}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.007{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.007{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.007{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.007{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.007{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.007{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.007{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.007{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.007{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.007{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C1A4-6156-D800-000000000002}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.007{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C1A4-6156-D800-000000000002}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001670734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:00.007{69CF5F33-C1A4-6156-D800-000000000002}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001765159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:01.697{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD1D1FDB58DED07D60674186AE6FA1C,SHA256=DCA2A95780F3E66F0AFC94AA211D5DBA366DDBFD4383D81EFF7CF512302C21F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:01.506{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C1A5-6156-DA00-000000000002}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:01.506{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:01.506{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:01.506{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:01.506{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:01.506{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:01.506{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:01.506{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:01.506{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:01.506{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:01.506{69CF5F33-BF3F-6156-0500-000000000002}416544C:\Windows\system32\csrss.exe{69CF5F33-C1A5-6156-DA00-000000000002}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:01.506{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C1A5-6156-DA00-000000000002}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001670764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:01.507{69CF5F33-C1A5-6156-DA00-000000000002}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001670763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:01.319{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E80FBCF934BFA3486C9391B6B3D9BFA,SHA256=01BA84DFBEB33600B945D50521BB5743E8C0680747B5D90AAAB910CC842B77C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:01.666{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C219DD5E6F349EA221264AC85508D401,SHA256=E20E7040110DADA8B09342B7F8EC979B68FC40EB6F25F552A39B2FCEDBA23E3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:01.666{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6E101BA5A0D8BF897A4B7820394DF83,SHA256=27B0B3F005206649491E9154D23B61AB5112CBC0FF131AE1775057779B1E9810,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:00.211{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61928-false10.0.1.12-8000- 23542300x80000000000000001670762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:01.100{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=149EF5514730F2E1242DAEF2015C5671,SHA256=40760C21D98A553A39A2ED9B0535A12E8E227D66E471F23A380B06B83411B2E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:02.569{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=259AE3DFAC2EEC2AAF072081A0F7B821,SHA256=1DFC83A20698C7E2F35FE1B0C3CABB58A6C79FFBFE93F2B11C73E3DA9FCF8BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:02.334{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9FB4113B8432C9FE8B3CAC602100652,SHA256=A1694B5847803F60834FF99414AA18EA535AE34EA8D104F7AF1E03A4D5B1FE63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:02.728{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D717EAF9F8B5513218B434C97B16864,SHA256=0C3EB197D8D08A208E53802ABF299D8DE1D0C9E6A16049D3BC6C0C9FA1C48C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:03.744{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465C9D127399E34D884B4FD5D91F333D,SHA256=99307DE106567A7EE69B8EC70FDA811FBFDA4270A0A64F082387E213F7877A0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:03.366{69CF5F33-C1A7-6156-DB00-000000000002}2492968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001670792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:03.366{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AAD8A0F36A76D74F2F5BD8036DFABA0,SHA256=1AEAC2F86FF11E412E4F800109106F6633E6F8E0E3F1C1B71386EB8AD2C0716C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:03.225{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C1A7-6156-DB00-000000000002}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:03.225{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:03.225{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:03.225{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:03.225{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:03.225{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:03.225{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:03.225{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:03.225{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:03.225{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:03.225{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C1A7-6156-DB00-000000000002}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:03.225{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C1A7-6156-DB00-000000000002}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001670779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:03.225{69CF5F33-C1A7-6156-DB00-000000000002}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001670823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.974{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C1A8-6156-DD00-000000000002}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.974{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.974{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.974{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.974{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.974{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.974{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.974{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.974{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.974{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.974{69CF5F33-BF3F-6156-0500-000000000002}416432C:\Windows\system32\csrss.exe{69CF5F33-C1A8-6156-DD00-000000000002}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.974{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C1A8-6156-DD00-000000000002}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001670811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.974{69CF5F33-C1A8-6156-DD00-000000000002}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001670810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.476{69CF5F33-BF40-6156-1C00-000000000002}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20211001075651-009MD5=E2350FF87285264FC2F693171FD6908F,SHA256=DD0C2B6A4BAA6FC008B19D4F8AE41D7B35D93255AA75D9D1AFF144D5A1F933A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.459{69CF5F33-C1A8-6156-DC00-000000000002}4243320C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001670808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.459{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A369805F286347C0015F11C655A60692,SHA256=325B3D628AC2395D50A1C0C760D4F2D9883CA5AFDF8831E06A17394B96FF6523,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001765166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:04.993{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\CbsProvider.dll2021-10-01 08:07:04.993 11241100x80000000000000001765165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:04.993{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\AssocProvider.dll2021-10-01 08:07:04.993 11241100x80000000000000001765164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:04.978{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\AppxProvider.dll2021-10-01 08:07:04.978 23542300x80000000000000001765163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:04.806{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF669F52D9255A160D4C107092451E1,SHA256=23F49CEEBC995FC233BE7F351D3C3BEAF485C9779E9BF9870C3AD9706393D91E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001765162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:04.228{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.302{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C1A8-6156-DC00-000000000002}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.302{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.302{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.302{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.302{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.302{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.302{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.302{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.302{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.302{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.302{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C1A8-6156-DC00-000000000002}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.302{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C1A8-6156-DC00-000000000002}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001670795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.303{69CF5F33-C1A8-6156-DC00-000000000002}424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001670794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:04.271{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F21CD860B6B6D7AE17C4A92E5F85F9E2,SHA256=05304D4430077923F116E2FED5BF5589B92ED22166BBC62F3280BB8DA9588BB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:05.822{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E842B9D4078AA401C3FDA50D8747C61,SHA256=21EB6C785AFA90472ECB3394E3221F3E693F676D63C10EC29ECE7072EB0A0935,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:03.581{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49848-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:05.497{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22398D329D8D2B09402397A00C62B498,SHA256=9266F2B5A1D2115F87002C5DAA3D93620BF699BE4AB1FACB7C8F8F37A5439FA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:05.490{69CF5F33-BF40-6156-1C00-000000000002}1900NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20211001075649-010MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:05.556{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC64F13701256A7CA65D72E9DB11C4F,SHA256=17B7052776C663CA735543C5D4A1698C3F6E23AA154AEB2D1613723CF4635507,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001765291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:05.322{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-C1A9-6156-1501-000000000002}6116C:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\dismhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:05.306{5EBD8912-BFA9-6156-8100-000000000002}37164080C:\Windows\system32\csrss.exe{5EBD8912-C1A9-6156-1501-000000000002}6116C:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\dismhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:05.306{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:05.306{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:05.306{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:05.306{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001670825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:05.317{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AB5B4CE4D7E4C2D99E63A0A74BEF503,SHA256=B6193A4F9A5C5E5FCC441E8B932816EC8CA8569392B51A154C728BC1432D27E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:05.114{69CF5F33-C1A8-6156-DD00-000000000002}28522788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:05.306{5EBD8912-C19D-6156-0601-000000000002}51965988C:\Windows\system32\cleanmgr.exe{5EBD8912-C1A9-6156-1501-000000000002}6116C:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\dismhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\system32\Dism\DismCore.dll+273f6|C:\Windows\system32\Dism\DismCore.dll+8eaa|C:\Windows\system32\Dism\DismCore.dll+58d4|C:\Windows\system32\DismApi.DLL+55381|C:\Windows\system32\DismApi.DLL+2c46a|C:\Windows\system32\DismApi.DLL+25f06|C:\Windows\system32\DismApi.DLL+24ceb|C:\Windows\system32\DismApi.DLL+2466f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001765284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:05.308{5EBD8912-C1A9-6156-1501-000000000002}6116C:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\DismHost.exe10.0.14393.4169 (rs1_release.210107-1130)Dism Host Servicing ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationDismHost.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\dismhost.exe {FC83E0ED-B9B7-4D32-AC58-FDE2709D20CC}C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-BFAA-6156-B302-080000000000}0x802b32HighMD5=A59C22B77871CC18970038B7FA43826F,SHA256=CB84B51713BAD689ABB96560E57A71B276D4B28B1C09C7116EE85F5782A1B144,IMPHASH=734010D3430DBD2CA51B599924FE1424{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\System32\cleanmgr.exeC:\Windows\system32\cleanmgr.exe /autoclean /d C: 11241100x80000000000000001765283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.275{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-service-winsvc-l1-1-0.dll2021-10-01 08:07:05.275 11241100x80000000000000001765282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.275{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-service-private-l1-1-1.dll2021-10-01 08:07:05.275 11241100x80000000000000001765281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.275{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-service-private-l1-1-0.dll2021-10-01 08:07:05.275 11241100x80000000000000001765280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.275{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-service-management-l2-1-0.dll2021-10-01 08:07:05.275 11241100x80000000000000001765279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.275{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-service-management-l1-1-0.dll2021-10-01 08:07:05.275 11241100x80000000000000001765278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.275{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-service-core-l1-1-1.dll2021-10-01 08:07:05.275 11241100x80000000000000001765277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.275{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-service-core-l1-1-0.dll2021-10-01 08:07:05.275 11241100x80000000000000001765276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.275{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-security-sddl-l1-1-0.dll2021-10-01 08:07:05.275 11241100x80000000000000001765275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.275{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\API-MS-Win-security-provider-L1-1-0.dll2021-10-01 08:07:05.275 11241100x80000000000000001765274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.259{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\API-MS-Win-security-lsapolicy-l1-1-0.dll2021-10-01 08:07:05.259 11241100x80000000000000001765273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.259{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\API-MS-Win-Security-Lsalookup-L2-1-1.dll2021-10-01 08:07:05.259 11241100x80000000000000001765272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.259{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\API-MS-Win-Security-Lsalookup-L2-1-0.dll2021-10-01 08:07:05.259 11241100x80000000000000001765271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.259{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-security-cryptoapi-l1-1-0.dll2021-10-01 08:07:05.259 11241100x80000000000000001765270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.259{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-security-base-l1-1-0.dll2021-10-01 08:07:05.259 11241100x80000000000000001765269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.259{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\API-MS-Win-EventLog-Legacy-L1-1-0.dll2021-10-01 08:07:05.259 11241100x80000000000000001765268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.259{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\API-MS-Win-Eventing-Provider-L1-1-0.dll2021-10-01 08:07:05.259 11241100x80000000000000001765267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.259{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\API-MS-Win-Eventing-Legacy-L1-1-0.dll2021-10-01 08:07:05.259 11241100x80000000000000001765266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.259{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\API-MS-Win-Eventing-Controller-L1-1-0.dll2021-10-01 08:07:05.259 11241100x80000000000000001765265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.259{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-eventing-consumer-l1-1-0.dll2021-10-01 08:07:05.259 11241100x80000000000000001765264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.259{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\API-MS-Win-Eventing-ClassicProvider-L1-1-0.dll2021-10-01 08:07:05.259 11241100x80000000000000001765263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.243{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\API-MS-Win-devices-config-L1-1-1.dll2021-10-01 08:07:05.243 11241100x80000000000000001765262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.243{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\API-MS-Win-devices-config-L1-1-0.dll2021-10-01 08:07:05.243 11241100x80000000000000001765261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.243{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\API-MS-Win-core-xstate-l2-1-0.dll2021-10-01 08:07:05.243 11241100x80000000000000001765260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.243{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-xstate-l1-1-0.dll2021-10-01 08:07:05.243 11241100x80000000000000001765259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.243{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-wow64-l1-1-0.dll2021-10-01 08:07:05.243 11241100x80000000000000001765258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.243{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-version-l1-1-0.dll2021-10-01 08:07:05.243 11241100x80000000000000001765257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.243{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-util-l1-1-0.dll2021-10-01 08:07:05.243 11241100x80000000000000001765256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.243{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-url-l1-1-0.dll2021-10-01 08:07:05.243 11241100x80000000000000001765255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.228{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-timezone-l1-1-0.dll2021-10-01 08:07:05.228 11241100x80000000000000001765254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.228{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-threadpool-private-l1-1-0.dll2021-10-01 08:07:05.228 11241100x80000000000000001765253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.228{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-threadpool-legacy-l1-1-0.dll2021-10-01 08:07:05.228 11241100x80000000000000001765252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.228{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-threadpool-l1-2-0.dll2021-10-01 08:07:05.228 11241100x80000000000000001765251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.228{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-sysinfo-l1-2-1.dll2021-10-01 08:07:05.228 11241100x80000000000000001765250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.228{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-sysinfo-l1-2-0.dll2021-10-01 08:07:05.228 11241100x80000000000000001765249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.228{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-sysinfo-l1-1-0.dll2021-10-01 08:07:05.228 11241100x80000000000000001765248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.228{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-synch-l1-2-0.dll2021-10-01 08:07:05.228 11241100x80000000000000001765247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.228{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-synch-l1-1-0.dll2021-10-01 08:07:05.228 11241100x80000000000000001765246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.228{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-stringloader-l1-1-1.dll2021-10-01 08:07:05.228 11241100x80000000000000001765245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.228{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-stringansi-l1-1-0.dll2021-10-01 08:07:05.228 11241100x80000000000000001765244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.212{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\API-MS-Win-core-string-obsolete-l1-1-0.dll2021-10-01 08:07:05.212 11241100x80000000000000001765243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.212{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\API-MS-Win-core-string-l2-1-0.dll2021-10-01 08:07:05.212 11241100x80000000000000001765242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.212{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-string-l1-1-0.dll2021-10-01 08:07:05.212 11241100x80000000000000001765241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.212{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-shutdown-l1-1-0.dll2021-10-01 08:07:05.212 11241100x80000000000000001765240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.212{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-shlwapi-obsolete-l1-1-0.dll2021-10-01 08:07:05.212 11241100x80000000000000001765239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.212{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-shlwapi-legacy-l1-1-0.dll2021-10-01 08:07:05.212 11241100x80000000000000001765238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.212{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-rtlsupport-l1-1-0.dll2021-10-01 08:07:05.212 11241100x80000000000000001765237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.212{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-registry-l2-1-0.dll2021-10-01 08:07:05.212 11241100x80000000000000001765236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.212{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-registry-l1-1-0.dll2021-10-01 08:07:05.212 11241100x80000000000000001765235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.212{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-realtime-l1-1-0.dll2021-10-01 08:07:05.212 11241100x80000000000000001765234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.197{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-profile-l1-1-0.dll2021-10-01 08:07:05.197 11241100x80000000000000001765233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.197{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-processtopology-obsolete-l1-1-0.dll2021-10-01 08:07:05.197 11241100x80000000000000001765232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.197{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-processthreads-l1-1-2.dll2021-10-01 08:07:05.197 11241100x80000000000000001765231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.197{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-processthreads-l1-1-1.dll2021-10-01 08:07:05.197 11241100x80000000000000001765230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.197{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-processthreads-l1-1-0.dll2021-10-01 08:07:05.197 11241100x80000000000000001765229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.197{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-processenvironment-l1-2-0.dll2021-10-01 08:07:05.197 11241100x80000000000000001765228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.197{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-processenvironment-l1-1-0.dll2021-10-01 08:07:05.197 11241100x80000000000000001765227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.197{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-privateprofile-l1-1-1.dll2021-10-01 08:07:05.197 11241100x80000000000000001765226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.197{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-privateprofile-l1-1-0.dll2021-10-01 08:07:05.197 11241100x80000000000000001765225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.197{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-namedpipe-l1-1-0.dll2021-10-01 08:07:05.197 11241100x80000000000000001765224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.181{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-memory-l1-1-2.dll2021-10-01 08:07:05.181 11241100x80000000000000001765223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.181{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-memory-l1-1-1.dll2021-10-01 08:07:05.181 11241100x80000000000000001765222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.181{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-memory-l1-1-0.dll2021-10-01 08:07:05.181 11241100x80000000000000001765221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.181{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\API-MS-Win-core-localization-obsolete-l1-2-0.dll2021-10-01 08:07:05.181 11241100x80000000000000001765220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.181{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-localization-l1-2-1.dll2021-10-01 08:07:05.181 11241100x80000000000000001765219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.181{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-localization-l1-2-0.dll2021-10-01 08:07:05.181 11241100x80000000000000001765218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.181{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-libraryloader-l1-1-1.dll2021-10-01 08:07:05.181 11241100x80000000000000001765217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.181{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-libraryloader-l1-1-0.dll2021-10-01 08:07:05.181 11241100x80000000000000001765216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.181{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\API-MS-Win-Core-Kernel32-Private-L1-1-1.dll2021-10-01 08:07:05.181 11241100x80000000000000001765215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.181{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\API-MS-Win-Core-Kernel32-Private-L1-1-0.dll2021-10-01 08:07:05.165 11241100x80000000000000001765214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.165{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-kernel32-legacy-l1-1-1.dll2021-10-01 08:07:05.165 11241100x80000000000000001765213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.165{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-kernel32-legacy-l1-1-0.dll2021-10-01 08:07:05.165 11241100x80000000000000001765212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.165{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-io-l1-1-1.dll2021-10-01 08:07:05.165 11241100x80000000000000001765211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.165{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-io-l1-1-0.dll2021-10-01 08:07:05.165 11241100x80000000000000001765210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.165{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-interlocked-l1-1-0.dll2021-10-01 08:07:05.165 11241100x80000000000000001765209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.165{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\API-MS-Win-Core-Heap-Obsolete-L1-1-0.dll2021-10-01 08:07:05.165 11241100x80000000000000001765208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.165{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-heap-l1-1-0.dll2021-10-01 08:07:05.165 11241100x80000000000000001765207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.165{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-handle-l1-1-0.dll2021-10-01 08:07:05.165 11241100x80000000000000001765206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.150{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\API-MS-Win-core-file-l2-1-1.dll2021-10-01 08:07:05.150 11241100x80000000000000001765205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.150{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\API-MS-Win-core-file-l2-1-0.dll2021-10-01 08:07:05.150 11241100x80000000000000001765204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.150{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-file-l1-2-1.dll2021-10-01 08:07:05.150 11241100x80000000000000001765203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.150{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-file-l1-2-0.dll2021-10-01 08:07:05.150 11241100x80000000000000001765202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.150{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-file-l1-1-0.dll2021-10-01 08:07:05.150 11241100x80000000000000001765201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.150{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-fibers-l1-1-1.dll2021-10-01 08:07:05.150 11241100x80000000000000001765200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.150{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-fibers-l1-1-0.dll2021-10-01 08:07:05.150 11241100x80000000000000001765199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.150{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-errorhandling-l1-1-1.dll2021-10-01 08:07:05.150 11241100x80000000000000001765198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.150{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-errorhandling-l1-1-0.dll2021-10-01 08:07:05.150 11241100x80000000000000001765197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.134{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-delayload-l1-1-0.dll2021-10-01 08:07:05.134 11241100x80000000000000001765196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.134{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-debug-l1-1-1.dll2021-10-01 08:07:05.134 11241100x80000000000000001765195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.134{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-debug-l1-1-0.dll2021-10-01 08:07:05.134 11241100x80000000000000001765194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.134{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-datetime-l1-1-1.dll2021-10-01 08:07:05.134 11241100x80000000000000001765193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.134{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-datetime-l1-1-0.dll2021-10-01 08:07:05.134 11241100x80000000000000001765192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.134{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-console-l1-1-0.dll2021-10-01 08:07:05.134 11241100x80000000000000001765191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.134{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-comm-l1-1-0.dll2021-10-01 08:07:05.134 11241100x80000000000000001765190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.134{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-core-com-l1-1-0.dll2021-10-01 08:07:05.134 11241100x80000000000000001765189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.134{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\api-ms-win-base-util-l1-1-0.dll2021-10-01 08:07:05.134 11241100x80000000000000001765188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.118{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\WimProvider.dll2021-10-01 08:07:05.118 11241100x80000000000000001765187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.118{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\VhdProvider.dll2021-10-01 08:07:05.118 11241100x80000000000000001765186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.118{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\UnattendProvider.dll2021-10-01 08:07:05.118 11241100x80000000000000001765185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.103{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\TransmogProvider.dll2021-10-01 08:07:05.103 11241100x80000000000000001765184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.103{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\SmiProvider.dll2021-10-01 08:07:05.103 11241100x80000000000000001765183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.103{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\ProvProvider.dll2021-10-01 08:07:05.103 11241100x80000000000000001765182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.087{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\OSProvider.dll2021-10-01 08:07:05.087 11241100x80000000000000001765181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.087{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\OfflineSetupProvider.dll2021-10-01 08:07:05.087 11241100x80000000000000001765180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.087{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\MsiProvider.dll2021-10-01 08:07:05.087 11241100x80000000000000001765179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.087{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\LogProvider.dll2021-10-01 08:07:05.087 11241100x80000000000000001765178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.087{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\IntlProvider.dll2021-10-01 08:07:05.087 11241100x80000000000000001765177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.072{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\ImagingProvider.dll2021-10-01 08:07:05.072 11241100x80000000000000001765176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.072{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\IBSProvider.dll2021-10-01 08:07:05.072 11241100x80000000000000001765175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.072{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\GenericProvider.dll2021-10-01 08:07:05.072 11241100x80000000000000001765174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.072{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\FolderProvider.dll2021-10-01 08:07:05.072 11241100x80000000000000001765173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.072{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\FfuProvider.dll2021-10-01 08:07:05.072 11241100x80000000000000001765172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.009{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\DmiProvider.dll2021-10-01 08:07:05.009 11241100x80000000000000001765171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:05.009{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\DismProv.dll2021-10-01 08:07:05.009 11241100x80000000000000001765170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localEXE2021-10-01 08:07:04.993{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\DismHost.exe2021-10-01 08:07:04.993 11241100x80000000000000001765169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:04.993{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\DismCorePS.dll2021-10-01 08:07:04.993 11241100x80000000000000001765168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:04.993{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\DismCore.dll2021-10-01 08:07:04.993 11241100x80000000000000001765167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-10-01 08:07:04.993{5EBD8912-C19D-6156-0601-000000000002}5196C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\CompatProvider.dll2021-10-01 08:07:04.993 23542300x80000000000000001765295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:06.853{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D9B997E214819F2672A14D1DB0CBAEA,SHA256=48BEAD413950B0052CC470B1501714E7A8C854504A17E5D37AB47B8F93B89992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:06.521{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33289CF249FFA4A9A28F118D263050F,SHA256=9CF2A3E42E1910D7E555C8654F3E9F91A7FE7C03F1920DAD724532B738036898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:06.306{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C219DD5E6F349EA221264AC85508D401,SHA256=E20E7040110DADA8B09342B7F8EC979B68FC40EB6F25F552A39B2FCEDBA23E3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001670841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:06.506{69CF5F33-BF41-6156-2B00-000000000002}28442864C:\Windows\system32\conhost.exe{69CF5F33-C1AA-6156-DE00-000000000002}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:06.506{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:06.506{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:06.506{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:06.506{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:06.506{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:06.506{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:06.506{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:06.506{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:06.506{69CF5F33-BF3F-6156-0C00-000000000002}740788C:\Windows\system32\svchost.exe{69CF5F33-BF40-6156-1F00-000000000002}1992C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001670831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:06.506{69CF5F33-BF3F-6156-0500-000000000002}4161012C:\Windows\system32\csrss.exe{69CF5F33-C1AA-6156-DE00-000000000002}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001670830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:06.506{69CF5F33-BF40-6156-1A00-000000000002}18723644C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-C1AA-6156-DE00-000000000002}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001670829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:06.506{69CF5F33-C1AA-6156-DE00-000000000002}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-BF3F-6156-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-BF40-6156-1A00-000000000002}1872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001670844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:07.568{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F2C389C1634B4B1839EC9C50C658C2,SHA256=ED8B3783BD9D9592AD76357A9D0AA7667A095DE15342183A1FCCBFAE3E7B444F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:06.007{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61930-false10.0.1.12-8000- 23542300x80000000000000001670843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:07.521{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DC02F5215455295B60CE746CAF7E8AC,SHA256=F147DC052C2502D4DDE94F021825F41828F235AD34B984737BA778BE11A734EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:08.771{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF91BB366C6406E3C29B5D7D6127F8AB,SHA256=DF5F041028D7F1F0C6456A39BAA7A2210C98D5448E592D212E412014C2843DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:08.822{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1B434EAF0F7D9E506F4930B1F48DD2B5,SHA256=92A2349484A2EE856614403BACCDE0E07AC263F45EE96C1E10C45F0C3D15551F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:08.822{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BEA5F0A51DC14FF3E806599FA7692E28,SHA256=0413BCD3D12EC7CE37C38C52706C67AD850EDD86DAA7840D52ADEB4D1C3E2F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:08.697{5EBD8912-C1A9-6156-1501-000000000002}6116ATTACKRANGE\AdministratorC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\dismhost.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.blfMD5=2323911939D1AA8F0195229DFCCE48E4,SHA256=1EFA82780DA48CCC4620E2FFEF60B9D102F267D2AB401B9D7C2BE7A1BFA0DE0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:08.697{5EBD8912-C1A9-6156-1501-000000000002}6116ATTACKRANGE\AdministratorC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\dismhost.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.2.regtrans-msMD5=B6D81B360A5672D80C27430F39153E2C,SHA256=30E14955EBF1352266DC2FF8067E68104607E750ABB9D3B36582B8AF909FCB58,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x80000000000000001765299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:08.665{5EBD8912-C1A9-6156-1501-000000000002}6116ATTACKRANGE\AdministratorC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\dismhost.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.1.regtrans-msMD5=B6D81B360A5672D80C27430F39153E2C,SHA256=30E14955EBF1352266DC2FF8067E68104607E750ABB9D3B36582B8AF909FCB58,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x80000000000000001765298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:08.650{5EBD8912-C1A9-6156-1501-000000000002}6116ATTACKRANGE\AdministratorC:\Users\ADMINI~1\AppData\Local\Temp\456F3CA7-1C2F-4B1A-8DC6-7C0019D5D0D1\dismhost.exeC:\Windows\System32\config\COMPONENTS{5a78f163-4b54-11e6-80cb-e41d2d012050}.TxR.0.regtrans-msMD5=8A7F31E4FA3C8E2617498494A091D4CB,SHA256=95ED45DDDFF38BFFDB857D7CB682DC9CD866602DB4FE8BEFE28972D5A594DFC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:08.009{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90DD007B3F25332CD3CEA6442B5640EA,SHA256=4098C3AB922D5034DDC7AC62127404040691E0DE57CC04B8EE1D8838403B24CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:09.927{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B06DB2C81A17FC9FE71ABF7CE56D8F1A,SHA256=7CFE8169E600CBC7952F466539401423E0DF683D0EA92E9E633544B28D76849D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001765326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.525{5EBD8912-C1AD-6156-1701-000000000002}37005760C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{5EBD8912-C1AD-6156-1601-000000000002}6044C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001765325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.353{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-C1AD-6156-1701-000000000002}3700C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.337{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.337{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.337{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.337{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.337{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C1AD-6156-1701-000000000002}3700C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.337{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-C1AD-6156-1701-000000000002}3700C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001765318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.342{5EBD8912-C1AD-6156-1701-000000000002}3700C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe10.0.14393.4222 (rs1_release.210113-1739)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=1571A4132449A317F66DF783E9468783,SHA256=5CFF48937FAE7F0CF5935248959141E2A60E88FE8105C43676B866FDAC36ADD2,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{5EBD8912-BF43-6156-0C00-000000000002}844C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001765317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.306{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-C1AD-6156-1601-000000000002}6044C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.290{5EBD8912-BF41-6156-0A00-000000000002}6282704C:\Windows\system32\services.exe{5EBD8912-C1AD-6156-1601-000000000002}6044C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.290{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.290{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.290{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.290{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C1AD-6156-1601-000000000002}6044C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.290{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.290{5EBD8912-BF41-6156-0A00-000000000002}628700C:\Windows\system32\services.exe{5EBD8912-C1AD-6156-1601-000000000002}6044C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001765309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.287{5EBD8912-C1AD-6156-1601-000000000002}6044C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001765308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.275{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.275{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.275{5EBD8912-BF43-6156-0C00-000000000002}844372C:\Windows\system32\svchost.exe{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.275{5EBD8912-BF41-6156-0B00-000000000002}636764C:\Windows\system32\lsass.exe{5EBD8912-BF41-6156-0A00-000000000002}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001765304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:09.025{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0FC5DB86FD8217FFB186B1F9565CA6C,SHA256=91719E84A44BB1A44C39FDFA22AECF985CEBCBC076E62472CF08AC259DBB39F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:08.706{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49849-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001765329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:10.323{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1B434EAF0F7D9E506F4930B1F48DD2B5,SHA256=92A2349484A2EE856614403BACCDE0E07AC263F45EE96C1E10C45F0C3D15551F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:10.323{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30574AD6D3BBDF95371DDB94BB601A77,SHA256=C8B9369A4C58606A165D53C5538345EC94C399A92CC6287412F0328BA1CC8F4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:10.025{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF23B350CAAAE94EE247FC14F20D740,SHA256=F650CCCAB09BC07D28C6F0D6F9E0627B6974FC4EFA5D5C4A0177AE064BE1775A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:11.145{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD3FB3B519763D6B6D02BA30A9401252,SHA256=4D0D1E27DA13B4DFBA1EF632238B4C5CBF72B2215FAA2879539326D72383EBC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:11.057{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A23112DA402B0CBE919D1A4D8A6050,SHA256=0B3A28B6DBE5AB91A39F23A6069CECCF03209C992A088EC4C2EA189FB87B72F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:12.379{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C45BE973F98CCC139FE74679658A9128,SHA256=CBF3A6D60E7F01D9C90171E415927B08FB9B656F5AA89DCD6E43EC52CB40DC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:12.057{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA6774000C3251ACE53A94FBD8F648A,SHA256=3EF37ABBCDB7FC95CF8C97623C1BAC5CADE8B8EC8E13A63060679935F2063AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:13.441{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F08E5E7205ADD9155E604F55C586833,SHA256=794EA998AE6409764E29257AB9167CD4616762356F96293473BB27764D49A27E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:11.196{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61931-false10.0.1.12-8000- 23542300x80000000000000001765332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:13.073{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0A0BC95498EC6BF05DEBADDB628D18,SHA256=ED423423E07E76CD609FB5689CDB47D6D8C477015E3733C811C7AABCFE856E5E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001670852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:07:14.988{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69b-0x5864768b) 23542300x80000000000000001670851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:14.675{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FFECD4D5559415A036BB5CC30BEB5C,SHA256=A4FBF6DFE789FC23AD8721A8C2DA13D46E1956033A360A4570156936BD884BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:14.292{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C47CE4BC02CF5276DCC1BB65A4386D27,SHA256=7B83D402C5C48B683A78549BCABBB84CEFD70E26541DBB1E0E581312F7FAE396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:15.769{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E6B599516C9944C4156106BCE82C840,SHA256=B53278F5F650359004413E0B57AF6BA7352B00CC37C8BE022311F4B6CFB84755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:15.370{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3812F9FAD13482F6779444EF582CAF9,SHA256=A32340F8C0589BDE2ECE1A9DEEDF11F36BC50824549B66A199EFC1209C059B3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:16.847{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=624667591EA90716E4AEECECDE201572,SHA256=46C623B6D336CD1374FEA90D138CD6C4AEE08FBB514B9CF383562CC81666A661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:16.401{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BDBD9568EC22DF6951C27BA32F4A069,SHA256=1BE92CDCF41F821B8096BAAF7182CA31517BC38A443F4504F1D45ABDB1642AAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:14.472{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49850-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001765337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:17.495{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E21B3B4D92D88E3920F358B663C06EE,SHA256=2C4C19B0EFE95520FF8EAE5A2D636436DB81C740757086F56F2AD9DF913ABBCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:18.096{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C5DFB7650BE95ACACD7F37CB89170C,SHA256=18E039B35511C2FDC7F5AE19A866FAD5D95F70833807B7C44B690B91685569E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:18.510{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FC59E6911C015ADE5374BE38F0E6C9,SHA256=E6EE343949EFE587AE15E45F182B352930636282A6714B2F8D18B2E23F6717EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:19.315{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7405B9E1561B71A7A2A0BA882FEB6210,SHA256=65E89C02D7E11452B22C7ABBBCF315A1322672A58D5538A0A48A27FDE47B5786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:19.526{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80FF8EFB89EA41CA9B405743A3837F15,SHA256=76D7F093EEEBDCDCA0A18A283A42A4C72B5D3A1F831D1E6A403A52A69A14EC77,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:17.149{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61932-false10.0.1.12-8000- 23542300x80000000000000001670858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:20.486{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4636E25CCE9C9B223F5A09B15F0350,SHA256=EEA1F82A03AB994CF3354284106B8B6A6DC1021231F3AD3C3718689EDEC0A010,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001765349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:20.776{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C1B8-6156-1801-000000000002}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:20.776{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:20.776{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:20.776{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:20.776{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:20.776{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C1B8-6156-1801-000000000002}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:20.776{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C1B8-6156-1801-000000000002}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001765342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:20.636{5EBD8912-C1B8-6156-1801-000000000002}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001765341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:20.651{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B9ABE63A4EFBAF5DE08D74BDB20D8F6,SHA256=4CCD857223842DD37884BC0CF1AA9E9C1A138D0A3483117BD6AF7042CD8D755D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001765360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:21.885{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C1B9-6156-1901-000000000002}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:21.885{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:21.885{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:21.885{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:21.885{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:21.885{5EBD8912-BF40-6156-0500-000000000002}408424C:\Windows\system32\csrss.exe{5EBD8912-C1B9-6156-1901-000000000002}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:21.885{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C1B9-6156-1901-000000000002}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001765353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:21.761{5EBD8912-C1B9-6156-1901-000000000002}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001765352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:21.667{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E92F1F962764BF4C697B8B133EA2D84E,SHA256=007B1D44920AF6646D5149CC39AE64EC430997E15861FD30A34945B60AB5308F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:21.667{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DC3A1316838E59FE24468DDB4D445D7,SHA256=DC940D9F2B959466CAAA2B93B7728FB88DFC942A6B0D7390348E5A4FEDA682CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:21.651{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A65F5AC8553CB4F245719319929A65EF,SHA256=77210675156F557C598BB58D660F2C659E7BC3205961FF25034933B1A18720B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:21.549{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=FF48B38D56D5CC363633E857D1D24FD7,SHA256=38C4F2A3B09409C674A48E0F738188D794844429F0F22AF0163569E52B6341B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:21.549{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE660BC6BC008ECDB1B249C61991CC1,SHA256=F739B318658C7B3BB8F7616F76770823429C008F56CFAE1E77D3C47F68845313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:21.549{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=859CEEDC9883F3D9BE3300660D676317,SHA256=8E4DBF49E8012D08FA6AF9DE97067EDE5F1AC8E6C0BBC55A4B600B57C0E33240,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:19.612{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49851-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001765374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:22.839{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C1BA-6156-1A01-000000000002}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:22.839{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:22.839{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:22.839{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:22.839{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:22.839{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C1BA-6156-1A01-000000000002}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:22.839{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C1BA-6156-1A01-000000000002}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001765367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:22.714{5EBD8912-C1BA-6156-1A01-000000000002}2828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001765366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:22.823{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E92F1F962764BF4C697B8B133EA2D84E,SHA256=007B1D44920AF6646D5149CC39AE64EC430997E15861FD30A34945B60AB5308F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:22.698{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98354D45791CE2F6B9C22CB912FA820B,SHA256=97B4A8D1C86D119ED72AD9B7728AB02FA08966383401350F61E34CC5ECFBCB7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:22.580{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C65712748DB582452427D6DE0A74CBDA,SHA256=C5DB008B81560D96D9C30E26FDFE7539CD2B07132B4BDB48B79662A1D0816893,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001765364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 08:07:22.120{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001765363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 08:07:22.120{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001765362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-10-01 08:07:22.120{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 10341000x80000000000000001765361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:22.088{5EBD8912-C1B9-6156-1901-000000000002}37484288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001670866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:23.751{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACED21FBCDCB9762F836FF50AF456D54,SHA256=7E602E6A7BF2282EC3F7B870DEA3BF8CED3502689D8D180DEE0A6A4C27B53FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:23.751{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7396E346C8DBE632C53E5D50B774FAA,SHA256=9A6D79E814D7AA40FF62ED3BC0D5DF96F5AC8BC13E358EDEE5CA31FBAD05685D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:23.595{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D6A139DC4888AF1DECB8C23252F8FC,SHA256=BDAA64F9DF2CA81E954C41FD057F402187331A5FDEAF562845DB168A35A83C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:23.966{5EBD8912-BF53-6156-2600-000000000002}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20211001075710-009MD5=E961008872A85D9E7B2EDCDB9076BE5A,SHA256=4C7B4263F3F8553ACCFCCC53A0FA56737D447810FFCB4A43A3BA8D688A9FDFED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:23.745{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42236B78540EA57ABCF9146E0276941F,SHA256=83CD1A8AA6C0460C23608C346C2994FA22150EA09708CCFDCD4486682A91BC22,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:22.124{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61935-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001765379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:22.124{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61935-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001765378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:22.109{5EBD8912-BF43-6156-0D00-000000000002}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61934-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001765377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:22.108{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61934-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001765376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:21.041{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61933-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001765375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:21.041{5EBD8912-BF53-6156-2300-000000000002}2732C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61933-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001670868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:24.610{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F3D50C091FD3882E8D3504F5A32151,SHA256=49658B8DC0A96A621B75B149C4FE98DF3E60614BB691C763C1A90E3B8818505F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:24.971{5EBD8912-BF53-6156-2600-000000000002}2864NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20211001075708-010MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:24.752{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9891345A59F74AFE5F07B99B44D178,SHA256=F0DD9132CF9572D87342D09A797AB01504EF5C7FF3FC94AD6E66A95732C2044A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:22.113{69CF5F33-BF40-6156-0F00-000000000002}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse47.181.68.46static-47-181-68-46.lsan.ca.frontiernet.net16874-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001765393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:24.518{5EBD8912-C1BC-6156-1B01-000000000002}52964492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001765392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:22.132{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61936-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001765391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:22.131{5EBD8912-BF53-6156-2B00-000000000002}2960C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61936-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 10341000x80000000000000001765390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:24.330{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C1BC-6156-1B01-000000000002}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:24.315{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:24.315{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:24.315{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C1BC-6156-1B01-000000000002}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:24.315{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:24.315{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:24.315{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C1BC-6156-1B01-000000000002}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001765383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:24.160{5EBD8912-C1BC-6156-1B01-000000000002}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001765407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:25.753{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E8AA4A6AC2A625A2586BA0E422D9A0,SHA256=54F42B782DF938F5DA1D1BE5C017181715FAFAD720CDDD963DBF21EEAA4E0595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:25.626{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5621FFF35E99231D37796D40D46D480,SHA256=485D8B9F4D54D3A9A44C8281FD1B94D162C6B333A466B0B50E3EA1166E536D17,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:23.196{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61938-false10.0.1.12-8000- 23542300x80000000000000001765405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:25.203{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B93A3EC63DA7BA41CFB6CF7D54FCA8A2,SHA256=B869C2EA1883D12517FE69D8F9C56B2D694056F0AFD8B18A38466BAB400D0499,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001765404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:25.187{5EBD8912-C1BD-6156-1C01-000000000002}53245360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:25.047{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C1BD-6156-1C01-000000000002}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:25.047{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:25.047{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:25.047{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:25.047{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:25.047{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C1BD-6156-1C01-000000000002}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:25.047{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C1BD-6156-1C01-000000000002}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001765396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:25.047{5EBD8912-C1BD-6156-1C01-000000000002}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001670871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:26.641{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FB7DC337C8B682EB187AE3318747B3,SHA256=70CA9726DD944EF6E65C9E9A4089DD36B0ABC0EEB192730FF69A1E31DC1BBFE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:26.784{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA05D6F68FEF52021F49E99A638C5EFD,SHA256=B1A449AF52C8B27E08CD3D033B1149E0D013D2E8A80EECE4E0470948DB1FE2B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:24.153{5EBD8912-BF53-6156-2900-000000000002}2932C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54249283- 10341000x80000000000000001765416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:26.331{5EBD8912-C1BE-6156-1D01-000000000002}54925912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:26.128{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C1BE-6156-1D01-000000000002}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:26.128{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:26.128{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:26.128{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:26.128{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:26.128{5EBD8912-BF40-6156-0500-000000000002}408364C:\Windows\system32\csrss.exe{5EBD8912-C1BE-6156-1D01-000000000002}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:26.128{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C1BE-6156-1D01-000000000002}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001765408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:26.003{5EBD8912-C1BE-6156-1D01-000000000002}5492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001670870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:24.643{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49852-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001670872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:27.657{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F371F4AA81F2F9CDA65C448AA6D1ACC3,SHA256=42EBF8BCF241B981BA7D983FF3801DB127551C163889A338AF049734D3AE3D21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001765428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:27.831{5EBD8912-BF55-6156-3300-000000000002}31843204C:\Windows\system32\conhost.exe{5EBD8912-C1BF-6156-1E01-000000000002}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:27.815{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:27.815{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:27.815{5EBD8912-BF40-6156-0500-000000000002}408536C:\Windows\system32\csrss.exe{5EBD8912-C1BF-6156-1E01-000000000002}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001765424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:27.815{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:27.815{5EBD8912-BF43-6156-0C00-000000000002}844876C:\Windows\system32\svchost.exe{5EBD8912-BF53-6156-2700-000000000002}2908C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001765422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:27.815{5EBD8912-BF53-6156-2C00-000000000002}30164028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-C1BF-6156-1E01-000000000002}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001765421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:27.675{5EBD8912-C1BF-6156-1E01-000000000002}5380C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-BF41-6156-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-BF53-6156-2C00-000000000002}3016C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001765420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:27.800{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1260C51E75F99E6482FFE1E9C22BEEAB,SHA256=A1EC23FA59B44FAB596C999DEF074D5D5049D875CF27CB4B8B48B34D85C7FC58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:27.065{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E363ACC9391726A2883EF2FFB22B34AA,SHA256=7E0A5E73EFEADE3106625611FBB15423D9CD363E215119E6DA690B53ECAB2A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:28.672{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD59AD449B50D9287057EF037AFACCDB,SHA256=7A45E7337C83BC3F72B21DFA965EB6D9132795DA332152CD4A1CED6F5736CC02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:28.784{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9745B1C883A22719CFFD81187107DEB,SHA256=E98AC5642E90CE0CE1AD5ABF2C0F526F4F75EC984A1BFA0585BF50A1BB59D5E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:29.687{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886B8F94D3584EBE6828C26A5C218153,SHA256=3FBF9D6B88F07C4C436B87641B4E2AE8429F8EFF060246ABAC46DA44B58F28BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:29.003{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F4540296C01259C00D2E1740D0F1EE,SHA256=343BF455ACEE9E8E813A544F2CA86EA02BA8E3F2B8039DC3857825B42D6E973A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:30.703{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F2E2BC8E51592B4ADB6CD42F0ADF952,SHA256=8AE45B6D3513CBCE1E868A0660A77E6E7AAF0A2DB27A087E67E231988635D0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:30.003{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2DEC2F4E0193AFA06CE9D7D177636F,SHA256=693CCB234449E3FC121164F4C797CF145BFE9DD0CF88FE99C1B9F038879F74B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:31.718{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EF6DA3D3C7915334D02BAAF08D5378,SHA256=1038763CB510572B02C293F4CE3583C5643F934D61AAE9F6F8F24905F62994AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:29.204{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61939-false10.0.1.12-8000- 23542300x80000000000000001765432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:31.018{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A812D39C91539236BBA2A14555256C04,SHA256=6EBEBE45C8035D6BF764865084A31C72D30936AC1234660ECDAC41DA2F8FEC90,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001670876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:30.690{69CF5F33-BF4A-6156-6200-000000000002}3688C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49853-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x80000000000000001670879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-10-01 08:07:32.749{69CF5F33-BF40-6156-1000-000000000002}996C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b69b-0x62fa9bd0) 23542300x80000000000000001670878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:32.733{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3989E8C62AF15FDFDC56B90525BD8F9D,SHA256=3B25D4701FB475A928DAC00C28F36A0A9EAC4CB88DD4ABBF8B88C6938674FA83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001765435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:32.737{5EBD8912-BF41-6156-0B00-000000000002}636676C:\Windows\system32\lsass.exe{5EBD8912-BF3D-6156-0100-000000000002}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001765434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:32.018{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5F333D52A4030BEB614EB3EC4A64244,SHA256=B9893754A3FA31A2C0D7B996A2543736997DDE14954A6155C2D5334996076646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:33.749{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=500D07CCD0C66F0F40E6AFE2EC55C8D1,SHA256=EE02DE6785B08CE007B4F53812908C83D9B9C47B293586E29C3039FD398216D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:33.846{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB22489CF30F23A8F3596FABDF239C88,SHA256=2A9A40F2A41F9D4F6E39085F0F98D533502FB828BEAA19AC780FC1F5C1CD4175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:33.846{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4E5F35BCE0B95BF548C66D1A0C06F4E,SHA256=6A825AEA23B929975A8EBFD013AB138B8267173F129D13B9E196278CA87E3303,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:32.642{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local61941-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001765439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:32.642{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61941-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001765438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:32.629{5EBD8912-BF41-6156-0B00-000000000002}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61940-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001765437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:32.629{5EBD8912-BF43-6156-1600-000000000002}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61940-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001765436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:33.034{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874F053898C8262B57CBED5C8835B406,SHA256=39257A558786C09ADA1ABF2914F8974D65F0A30D7DFFB886931E6FCE776932FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001670881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:34.764{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81855857D12A4CC3428E50AC862A8F9B,SHA256=78EAA0060E12A23352605444316082D645D67B625A65B3FC2577D5A487D5C7C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:34.050{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31586DF5FE13F763A8CBC8AB77CF2AF5,SHA256=8BFE0FF907E9F106455DE7AD83E94EC74C2B006348D909AC384FC7D96DCC8DA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:32.739{5EBD8912-BF3D-6156-0100-000000000002}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61942-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001765443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:32.739{5EBD8912-BF3D-6156-0100-000000000002}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61942-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001670882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-10-01 08:07:35.780{69CF5F33-BF52-6156-6C00-000000000002}2968NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD2FC7E6D2EB512F0473C4A57E991580,SHA256=4AA6EE19F4C3CFB1711D8FD0F41C287D237DECCE4EB852571F8095D88EF0C141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:35.050{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=570575498BF15D5FA550D30EB817FE73,SHA256=75F194842F97C5018991E567FD1C2715FBC6674AA92C52A5D3E3A6CF1327418B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001765448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:35.188{5EBD8912-BF5F-6156-6A00-000000000002}3820C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local61943-false10.0.1.12-8000- 23542300x80000000000000001765447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-10-01 08:07:36.065{5EBD8912-BF66-6156-7300-000000000002}3480NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5592B13783FF799F8826270EB169D1,SHA256=54BED21B0CB606C7A76BDE1C1271D2F63FC4F2C0FF08A1F6ED45012BB4FBEAD8,IMPHASH=00000000000000000000000000000000falsetrue